How to install SSL certificate in Odoo 11

 

How to install SSL certificate in Odoo 11

Odoo by default transmits the information unencrypted, including the authentication.

That is why we consider that a secure Odoo deployment must have HTTPS, which requires SSL certificates that we will tell you how to configure and install below.

To carry out this procedure, it is required to:

  • SSL certificates (.pem and .key files) corresponding to the same domain through which your Odoo will be accessed.

  • SSH credentials of the "root" user to your Cloud Odoo, which you received by email at the time of hiring.

If you don't have an SSL certificate yet, you can create one now at:

SW Panel > Domains and SSL (left menu) > SSL Certificate Portfolio > Create SSL

For more information, see the following manual

SSL certificate installation in Odoo 11

  1. Connect to your Cloud Odoo via SSH as "root" user.
  2. Copy the .pem file of your SSL certificate in the directory:

/etc/ssl/

  1. Copy the .key file of your SSL certificate in the directory:

/etc/ssl/private/

  • In this example, we have the following:

/etc/ssl/swhosting.com.pem

/etc/ssl/private/swhosting.com.key

  1. Launch these commands to make a backup copy of the configuration files that we are going to modify:

cp -p /etc/odoo/odoo.conf /etc/odoo/odoo.conf.backup

cp -p /etc/nginx/sites-enabled/odoo.conf /etc/nginx/sites-available/odoo.conf.backup

  1. Edit the following file:

/etc/odoo11.conf

  • Add the following line:

proxy_mode = True

  • Outcome:
[options]
; This is the password that allows database operations:
; admin_passwd = admin
db_host = False
db_port = False
db_user = odoo
db_password = False
;addons_path = /usr/lib/python3/dist-packages/odoo/addons
proxy_mode = True
  1. Edit the following file:

/etc/nginx/sites-enabled/odoo.domainname.com.conf

  • Replace all its content with the following:
#odoo server
upstream odoo {
 server 127.0.0.1:8069;
}
upstream odoochat {
 server 127.0.0.1:8072;
}

# http -> https
server {
   listen 80;
   server_name odoo.domainname.com;
   rewrite ^(.*) https://$host$1 permanent;
}

server {
 listen 443;
 server_name odoo.domainname.com;
proxy_read_timeout 720s; proxy_connect_timeout 720s; proxy_send_timeout 720s; # Add Headers for odoo proxy mode proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; # SSL parameters ssl on; ssl_certificate /etc/ssl/odoo.domainname.com.pem;
ssl_certificate_key /etc/ssl/private/odoo.domainname.com.key;
ssl_session_timeout 30m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # log access_log /var/log/nginx/odoo.access.log; error_log /var/log/nginx/odoo.error.log; # Redirect longpoll requests to odoo longpolling port location /longpolling { proxy_pass http://odoochat; } # Redirect requests to odoo backend server location / { proxy_redirect off; proxy_pass http://odoo; } # common gzip gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript; gzip on; }
  1. Modify the following parameters of the previous file:

server_name odoo.domainname.com;

  • It appears in duplicate. In both, replace “odoo.mycompany.com” with your domain. Example: "swhosting.com".

ssl_certificate /etc/ssl/odoo.domainname.com.pem;

  • Replace the path with the one corresponding to the .pem file of your SSL certificate.

ssl_certificate_key /etc/ssl/private/odoo.domainname.com.key;

  • Replace the path with the one corresponding to the key file of your SSL certificate.

  • As an example, the resulting configuration would be the following:

#odoo server
upstream odoo {
 server 127.0.0.1:8069;
}
upstream odoochat {
 server 127.0.0.1:8072;
}

# http -> https
server {
   listen 80;
   server_name swhosting.com;
   rewrite ^(.*) https://$host$1 permanent;
}

server {
 listen 443;
 server_name swhosting.com;
 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters
 ssl on;
 ssl_certificate /etc/ssl/swhosting.com.pem;
 ssl_certificate_key /etc/ssl/private/swhosting.com.key;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/odoo.access.log;
 error_log /var/log/nginx/odoo.error.log;

 # Redirect longpoll requests to odoo longpolling port
 location /longpolling {
 proxy_pass http://odoochat;
 }

 # Redirect requests to odoo backend server
 location / {
   proxy_redirect off;
   proxy_pass http://odoo;
 }

 # common gzip
 gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
 gzip on;
}
  1. For the changes to take effect, restart the services involved:
systemctl restart nginx.service
systemctl restart odoo.service
  1. Verify that you can access via HTTPS:

https://odoo.domainname.com

💡 Remember that the DNS zone of your domain must point to your Cloud Odoo. If you have not done it already, you must configure the same IP as your Cloud Odoo in the Registry.

If something went wrong, you need to restore the backup copies of the configuration files:

cp -p /etc/odoo/odoo.conf.backup /etc/odoo/odoo.conf

cp -p /etc/nginx/sites-available/odoo.conf.backup /etc/nginx/sites-available/odoo.conf

If everything went well, you can optionally delete the backup copies of the configuration files:

rm /etc/odoo/odoo.conf.backup

rm /etc/nginx/sites-available/odoo.conf.backup

Post a Comment

Previous Post Next Post