certbot support broken in ≥ 4.9-0

[andersk]

Between 4.8-1 and 4.9-0, we backported zulip/zulip#20512 and started unconditionally installing certbot, resulting in /etc/letsencrypt existing in the base image, so this symlink never happens. This results in a broken symlink where the certificate should be.

root@70b1222620d1:/# namei /etc/ssl/certs/zulip.combined-chain.crt
f: /etc/ssl/certs/zulip.combined-chain.crt
 d /
 d etc
 d ssl
 d certs
 l zulip.combined-chain.crt -> /data/certs/zulip.combined-chain.crt
   d /
   d data
   d certs
     zulip.combined-chain.crt - No such file or directory

Discussion.

[thelazyoxymoron]

Getting this on my self-hosted docker instance as well, even though I'm using an external certificate deployed by Nginx Proxy Manager to talk to the zulip container. I'm able to connect to the deployed URL, however zulip clients intermittently throw a self-signed certificate error.

[andersk]

@thelazyoxymoron You’re seeing something unrelated that you’re going to have to debug on the Nginx Proxy Manager side. This issue is about the internal Certbot support inside docker-zulip.

[InfinityRed-Code]

Was anyone able to fix this or work around this? I thought of using self signed certs in the container and using certbot on the host itself. But I dont know if this works with passing through to the container. With one Org this might work fine but I want to host several orgs with differrent domains where the main org wold be smth like: zulip.example.com anf the following ones org1.zulip.example.com ... Maybe even a wildcard cert on the host to adress all domains. Has anyone tried this or experimented with this?