From 49724b0007b34c5b0a76e6a4369a1a01f5a869fd Mon Sep 17 00:00:00 2001 From: Chris Coleman Date: Thu, 1 Feb 2018 14:22:35 -0500 Subject: [PATCH] Add LE TLS cert workaround (SNI vulnerability) * TLS SNI has been disabled at Lets Encrypt TLS certificate issuing servers. This is what broke the LE TLS cert feature. Workaround now we use `standalone` mode which has the side effect of turning off `nginx` web server for about 10 seconds while the remote Lets Encrypt issuing servers create the TLS cert. https://github.com/certbot/certbot/issues/5405 --- odoo_install.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/odoo_install.sh b/odoo_install.sh index 67146b84..ceebf0ec 100644 --- a/odoo_install.sh +++ b/odoo_install.sh @@ -13,7 +13,7 @@ # Execute the script to install Odoo: # ./odoo-install ################################################################################ -versiondate="2018-02-01a" +versiondate="2018-02-01b" ##fixed parameters OE_USER="odoo" @@ -413,7 +413,11 @@ function install_nginx_with_LE_https_cert { #Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs. #Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. #Please specify --domains, or --installer that will help in domain names autodiscovery. - sudo certbot run -n --nginx --agree-tos --no-eff-email -m $email -d $domain + ## Original method deprecated Jan 2018 because TLS SNI vulnerability requires SNI verification turned off. + ## sudo certbot run -n --nginx --agree-tos --no-eff-email -m $email -d $domain + ## Temporary workaround method January 2018 until ppa maintainers add certbot 0.21 to ppa:certbot/certbot. + ## https://github.com/certbot/certbot/issues/5405#issuecomment-356498627 + sudo certbot -n --authenticator standalone --installer nginx --agree-tos --no-eff-email -m $email -d $domain --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" #Automating renewal #The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.