web: use certbot-auto

web/Dockerfile

@@ -1,12 +1,13 @@
 ARG JITSI_REPO=jitsi
 FROM ${JITSI_REPO}/base
 
+ADD https://dl.eff.org/certbot-auto /usr/local/bin/
+
 COPY rootfs/ /
 
 RUN \
 	apt-dpkg-wrap apt-get update && \
 	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web && \
-	apt-dpkg-wrap apt-get install -y -t stretch-backports certbot && \
 	apt-dpkg-wrap apt-get -d install -y jitsi-meet-web-config && \
     dpkg -x /var/cache/apt/archives/jitsi-meet-web-config*.deb /tmp/pkg && \
     mv /tmp/pkg/usr/share/jitsi-meet-web-config/config.js /defaults && \
@@ -15,6 +16,10 @@ RUN \
 	rm -f /etc/nginx/conf.d/default.conf && \
 	rm -rf /tmp/pkg /var/cache/apt
 
+RUN \
+	chmod a+x /usr/local/bin/certbot-auto && \
+	certbot-auto --noninteractive --install-only
+
 EXPOSE 80 443
 
 VOLUME ["/config", "/etc/letsencrypt", "/usr/share/jitsi-meet/transcripts"]

web/rootfs/defaults/letsencrypt-renew

@@ -4,7 +4,7 @@
 s6-svc -d /var/run/s6/services/nginx
 
 # renew cert
-certbot -n renew >> /config/le-renew.log
+certbot-auto --no-self-upgrade -n renew >> /config/le-renew.log
 
 # start nginx
 s6-svc -u /var/run/s6/services/nginx

web/rootfs/etc/cont-init.d/10-config

@@ -11,7 +11,9 @@ mkdir -p \
 if [[ $DISABLE_HTTPS -ne 1 ]]; then
     if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
         if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
-            if ! certbot certonly \
+            if ! certbot-auto \
+                  certonly \
+                  --no-self-upgrade \
                   --noninteractive \
                   --standalone \
                   --preferred-challenges http \