Add LE TLS cert workaround (SNI vulnerability)

* TLS SNI has been disabled at Lets Encrypt TLS certificate issuing servers. This is what broke the LE TLS cert feature. Workaround now we use `standalone` mode which has the side effect of turning off `nginx` web server for about 10 seconds while the remote Lets Encrypt issuing servers create the TLS cert. certbot/certbot#5405
chris001 · Feb 1, 2018 · 49724b0 · 49724b0
1 parent 779dd91
commit 49724b0
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/odoo_install.sh b/odoo_install.sh
@@ -13,7 +13,7 @@
 # Execute the script to install Odoo:
 # ./odoo-install
 ################################################################################
-versiondate="2018-02-01a"
+versiondate="2018-02-01b"
 
 ##fixed parameters
 OE_USER="odoo"
@@ -413,7 +413,11 @@ function install_nginx_with_LE_https_cert {
 	#Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs.
 	#Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. 
 	#Please specify --domains, or --installer that will help in domain names autodiscovery.
-	sudo certbot run -n --nginx --agree-tos --no-eff-email -m $email -d $domain
+	## Original method deprecated Jan 2018 because TLS SNI vulnerability requires SNI verification turned off.
+	## sudo certbot run -n --nginx --agree-tos --no-eff-email -m $email -d $domain
+	## Temporary workaround method January 2018 until ppa maintainers add certbot 0.21 to ppa:certbot/certbot.
+	## https://github.com/certbot/certbot/issues/5405#issuecomment-356498627
+	sudo certbot -n --authenticator standalone --installer nginx --agree-tos --no-eff-email -m $email -d $domain --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
 
 	#Automating renewal
 	#The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.