snap: workaround for snapctl crash in plugin hook (#8955)

* snap: workaround for snapctl crash in plugin hook

* test functionality, not existence

certbot/CHANGELOG.md

@@ -40,6 +40,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 * The Apache authenticator no longer crashes with "Unable to insert label"
   when encountering a completely empty vhost. This issue affected Certbot 1.17.0.
+* Users of the Certbot snap on Debian 9 (Stretch) should no longer encounter an
+  "access denied" error when installing DNS plugins.
 
 More details about these changes can be found on our GitHub repo.
 

snap/hooks/prepare-plug-plugin

@@ -1,8 +1,21 @@
 #!/bin/sh -e
 
-if [ "$(snapctl get trust-plugin-with-root)" = "ok" ]; then
+# Workaround for a very old snapctl binary on the host connecting to the wrong socket and crashing.
+# Prefer an up-to-date snapctl from the core or snapd snaps, if they exist. We ask users to install
+# the core snap in the Certbot installation instructions.
+# See https://github.com/certbot/certbot/issues/8922, https://bugs.launchpad.net/snapd/+bug/1933392
+SNAPCTL_CORE="/snap/core/current/usr/bin/snapctl"
+SNAPCTL_SNAPD="/snap/snapd/current/usr/bin/snapctl"
+SNAPCTL="snapctl"
+if $SNAPCTL_CORE get x 2>/dev/null; then
+    SNAPCTL=$SNAPCTL_CORE
+elif $SNAPCTL_SNAPD get x 2>/dev/null; then
+    SNAPCTL=$SNAPCTL_SNAPD
+fi
+
+if [ "$($SNAPCTL get trust-plugin-with-root)" = "ok" ]; then
     # allow the connection, but reset config to allow for other slots to go through this auth flow
-    snapctl unset trust-plugin-with-root
+    $SNAPCTL unset trust-plugin-with-root
     exit 0
 else
     echo "Only connect this interface if you trust the plugin author to have root on the system."