From 842fbb3d72c6360fc10de07ab66b2351855bdc47 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 3 Sep 2018 12:52:03 -0400 Subject: [PATCH] auto-agree to Let's Encrypt's terms of service during setup fixes #1409 This reverts commit 82844ca651fa31755878490eabca0d80e83f8bda ("make certbot auto-agree to TOS if NONINTERACTIVE=1 env var is set (#1399)") and instead *always* auto-agree. If we don't auto-agree, certbot asks the user interactively, but our "curl | bash" setup line does not permit interactive prompts, so certbot failed to register and all certificate things were broken until the command was re-run interactively. --- CHANGELOG.md | 1 + Vagrantfile | 9 +++------ setup/start.sh | 15 ++++++++------- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a509a53..befea2a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ CHANGELOG In Development -------------- +* Starting with v0.28, TLS certificate provisioning wouldn't work on new boxes until the mailinabox setup command was run a second time because of a problem with the non-interactive setup. * Update to Nextcloud 13.0.5. * Update to Roundcube 1.3.7. * Update to Z-Push 2.4.4. diff --git a/Vagrantfile b/Vagrantfile index 0161ae0d..770f66d2 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,12 +19,9 @@ Vagrant.configure("2") do |config| config.vm.network "private_network", ip: "192.168.50.4" config.vm.provision :shell, :inline => <<-SH - # Set environment variables so that the setup script does - # not ask any questions during provisioning. We'll let the - # machine figure out its own public IP. - # - # Please note: NONINTERACTIVE=1 mode means that you'll automatically agree - # to Let's Encrypt's ACME Subscriber Agreement. + # Set environment variables so that the setup script does + # not ask any questions during provisioning. We'll let the + # machine figure out its own public IP. export NONINTERACTIVE=1 export PUBLIC_IP=auto export PUBLIC_IPV6=auto diff --git a/setup/start.sh b/setup/start.sh index 02e77d96..54dc20da 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -130,17 +130,18 @@ restart_service fail2ban # If there aren't any mail users yet, create one. source setup/firstuser.sh -# Register with Let's Encrypt, including agreeing to the Terms of Service. This -# is an interactive command. +# Register with Let's Encrypt, including agreeing to the Terms of Service. +# We'd let certbot ask the user interactively, but when this script is +# run in the recommended curl-pipe-to-bash method there is no TTY and +# certbot will fail if it tries to ask. if [ ! -d $STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v01.api.letsencrypt.org/ ]; then echo echo "-----------------------------------------------" -echo "Mail-in-a-Box uses Let's Encrypt to provision free certificates" -echo "to enable HTTPS connections to your box. You'll now be asked to agree" -echo "to Let's Encrypt's terms of service." +echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates" +echo "to enable HTTPS connections to your box. We're automatically" +echo "agreeing you to their subscriber agreement. See https://letsencrypt.org." echo -certbot register $([ "$NONINTERACTIVE" == 1 ] && echo "--agree-tos") \ - --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt +certbot register --register-unsafely-without-email --agree-tos --config-dir $STORAGE_ROOT/ssl/lets_encrypt fi # Done.