Registering letsencrypt certificates via the web interface does not work on clean installs

[curtishall]

certbot is installed in /root/.local/bin/certbot but the scripts are calling 'certbot'.

Command line of how I resolved this:

root@v3demo:~/.local/bin# ./certbot certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ --dns-subdomain-provider-credentials /tmp/dns-subdomain-credentials.ini -m chall@corp.bluecherry.app --authenticator dns-subdomain-provider -d demo.bluecherry.app Saving debug log to /tmp/letsencrypt.log Requesting a certificate for demo.bluecherry.app Unsafe permissions on credentials configuration file: /tmp/dns-subdomain-credentials.ini Waiting 10 seconds for DNS changes to propagate

Successfully received certificate. Certificate is saved at: /usr/share/bluecherry/nginx-includes/letsencrypt/live/demo.bluecherry.app/fullchain.pem Key is saved at: /usr/share/bluecherry/nginx-includes/letsencrypt/live/demo.bluecherry.app/privkey.pem This certificate expires on 2024-03-07. These files will be updated when the certificate renews.

NEXT STEPS:

• The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

• ---

  If you like Certbot, please consider supporting our work by:

  • Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  • Donating to EFF: https://eff.org/donate-le

• ---

[andrey-utkin]

I haven't reproduced the issue yet, but speculatively, it might be because we don't seem to enforce the presence of admin's email. We could add such a check, or at least do some shell quoting to avoid messing up the arguments order:

--- a/scripts/update_subdomain_certs.sh
+++ b/scripts/update_subdomain_certs.sh
@@ -54,7 +54,7 @@ echo "Generating certs..."
 certbot certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp \
     --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ \
     --dns-subdomain-provider-credentials $credentials \
-    -m $email --authenticator dns-subdomain-provider \
+    -m "$email" --authenticator dns-subdomain-provider \
     -d $subdomain.bluecherry.app -v

 rm $credentials

[andrey-utkin]

Draft fix is in https://github.com/bluecherrydvr/bluecherry-apps/pull/638