From 4c37d1e5f96c6e9d6fdaae40dab3eb7adefd677b Mon Sep 17 00:00:00 2001
From: Andriy Utkin <andriy_utkin@fastmail.com>
Date: Tue, 19 Dec 2023 00:11:09 +0000
Subject: [PATCH] Use pip-installed certbot if available

See https://github.com/bluecherrydvr/bluecherry-apps/issues/635

Give pip-installed one a priority as it's more likely to be up to date,
which is useful long-term as LetsEncrypt matters sometimes change on
short notice.
---
 misc/cron/bluecherry-subdomain-cert-renewal |  2 +-
 misc/subdomain-cert-renewal                 | 13 +++++++++++++
 scripts/update_subdomain_certs.sh           | 13 +++++++++----
 3 files changed, 23 insertions(+), 5 deletions(-)
 create mode 100755 misc/subdomain-cert-renewal

diff --git a/misc/cron/bluecherry-subdomain-cert-renewal b/misc/cron/bluecherry-subdomain-cert-renewal
index 2c166e4d..56fc2988 100644
--- a/misc/cron/bluecherry-subdomain-cert-renewal
+++ b/misc/cron/bluecherry-subdomain-cert-renewal
@@ -7,7 +7,7 @@
 # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
 # |  |  |  |  |
 # *  *  *  *  * user-name command to be executed
-*    * */5 *  *   root    certbot renew --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ >/dev/null 2>&1
+*    * */5 *  *   root    /usr/share/bluecherry/subdomain-cert-renewal &>/dev/null
 */5  *  *  *  *   root    curl -k https://localhost:7001/subdomainprovidercron >/dev/null 2>&1
 
 # vim: syntax=crontab
diff --git a/misc/subdomain-cert-renewal b/misc/subdomain-cert-renewal
new file mode 100755
index 00000000..429c6279
--- /dev/null
+++ b/misc/subdomain-cert-renewal
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -euo pipefail
+
+# Suppress the output of the rest of the script.
+# To debug, redirect to a real file.
+exec &> /dev/null
+
+CERTBOT=/root/.local/bin/certbot
+if ! [[ -x "$CERTBOT" ]]; then
+    CERTBOT=certbot
+fi
+
+"$CERTBOT" renew --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/
diff --git a/scripts/update_subdomain_certs.sh b/scripts/update_subdomain_certs.sh
index cb4d7873..97c96aa7 100755
--- a/scripts/update_subdomain_certs.sh
+++ b/scripts/update_subdomain_certs.sh
@@ -51,11 +51,16 @@ chmod 600 $credentials
 # Generate certificates
 echo "Generating certs..."
 
-certbot certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp \
+CERTBOT=/root/.local/bin/certbot
+if ! [[ -x "$CERTBOT" ]]; then
+    CERTBOT=certbot
+fi
+
+"$CERTBOT" certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp \
     --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ \
-    --dns-subdomain-provider-credentials $credentials \
-    -m $email --authenticator dns-subdomain-provider \
-    -d $subdomain.bluecherry.app -v
+    --dns-subdomain-provider-credentials "$credentials" \
+    -m "$email" --authenticator dns-subdomain-provider \
+    -d "$subdomain".bluecherry.app -v
 
 rm $credentials