Use pip-installed certbot if available

See #635

Give pip-installed one a priority as it's more likely to be up to date,
which is useful long-term as LetsEncrypt matters sometimes change on
short notice.

Author: andrey-utkin

misc/cron/bluecherry-subdomain-cert-renewal

@@ -7,7 +7,7 @@
 # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
 # |  |  |  |  |
 # *  *  *  *  * user-name command to be executed
-*    * */5 *  *   root    certbot renew --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ >/dev/null 2>&1
+*    * */5 *  *   root    /usr/share/bluecherry/subdomain-cert-renewal &>/dev/null
 */5  *  *  *  *   root    curl -k https://localhost:7001/subdomainprovidercron >/dev/null 2>&1
 
 # vim: syntax=crontab

misc/subdomain-cert-renewal

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -euo pipefail
+
+# Suppress the output of the rest of the script.
+# To debug, redirect to a real file.
+exec &> /dev/null
+
+CERTBOT=/root/.local/bin/certbot
+if ! [[ -x "$CERTBOT" ]]; then
+    CERTBOT=certbot
+fi
+
+"$CERTBOT" renew --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/

scripts/update_subdomain_certs.sh

@@ -51,11 +51,16 @@ chmod 600 $credentials
 # Generate certificates
 echo "Generating certs..."
 
-certbot certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp \
+CERTBOT=/root/.local/bin/certbot
+if ! [[ -x "$CERTBOT" ]]; then
+    CERTBOT=certbot
+fi
+
+"$CERTBOT" certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp \
     --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ \
-    --dns-subdomain-provider-credentials $credentials \
-    -m $email --authenticator dns-subdomain-provider \
-    -d $subdomain.bluecherry.app -v
+    --dns-subdomain-provider-credentials "$credentials" \
+    -m "$email" --authenticator dns-subdomain-provider \
+    -d "$subdomain".bluecherry.app -v
 
 rm $credentials