How to install SSL certificate in Odoo 11
Odoo by default transmits unencrypted information including authentication.
That is why we consider that a secure deployment of Odoo, must have HTTPS, which requires SSL certificates that we will tell you how to configure and install.
To carry out this procedure, the following is required:
-
SSL certificates (.pem and .key files) corresponding to the same domain ,through which your Odoo will be accessed.
-
SSH credentials of "root" user to your Odoo Cloud that you received by email at the time of hiring.
If you do not have an SSL certificate yet, you can create one now in:
SW Panel > Domains and SSL (left menu) > SSL Certificate Portfolio > Create SSL.
For more information, please refer to the following manual.
Installing SSL certificate in Odoo 11
-
Connect to your Odoo Cloud via SSH as "root" user.
-
Copy the .pem file of your SSL certificate in the directory:
/etc/ssl/
- Copy the .key file of your SSL certificate to the directory:
/etc/ssl/private/
- In this example, we have the following:
/etc/ssl/swhosting.com.pem
/etc/ssl/private/swhosting.com.key
- Launch these commands to make a backup copy of the configuration files to be modified:
cp -p /etc/odoo/odoo.conf /etc/odoo/odoo.conf.backup
cp -p /etc/nginx/sites-enabled/odoo.conf /etc/nginx/sites-available/odoo.conf.backup
- Edit the following file:
/etc/odoo/odoo.conf
proxy_mode = True
[options]
; This is the password that allows database operations:
; admin_passwd = admin
db_host = False
db_port = False
db_user = odoo
db_password = False
;addons_path = /usr/lib/python3/dist-packages/odoo/addons
proxy_mode = True
- Edit the following file:
/etc/nginx/sites-enabled/odoo.conf
- Replace its entire contents with the following:
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name odoo.mycompany.com;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name odoo.mycompany.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/certificado.pem;
ssl_certificate_key /etc/ssl/private/certificado.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
- Modify the following parameters of the previous file:
server_name odoo.mycompany.com;
.
- It appears in duplicate. In both, replace "odoo.mycompany.com" with your domain. Example: "swhosting.com".
ssl_certificate /etc/ssl/certificate.pem;
- Replace the path with the one corresponding to the .pem file of your SSL certificate.
ssl_certificate_key /etc/ssl/private/certificate.key;
-
Replace the path with the one corresponding to the .key file of your SSL certificate.
-
As an example, the resulting configuration would be as follows:
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name swhosting.com;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name swhosting.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/swhosting.com.pem;
ssl_certificate_key /etc/ssl/private/swhosting.com.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
- For the changes to take effect, restart the services involved:
systemctl restart nginx.service
systemctl restart odoo.service
- Verify that you can access via HTTPS:
https://www.DominioOdoo.es
💡 Remember that the DNS zone of your domain must point to your Odoo Cloud.
If you have not already done so, you will need to configure in the A Registry the same IP as your Odoo Cloud.
If something went wrong, you need to restore the backups of the configuration files:
cp -p /etc/odoo/odoo/odoo.conf.backup /etc/odoo/odoo/odoo.conf
.
cp -p /etc/nginx/sites-available/odoo.conf.backup /etc/nginx/sites-available/odoo.conf
.
If everything went well, you can optionally delete the backups of the configuration files:
rm /etc/odoo/odoo.conf.backup
rm /etc/nginx/sites-available/odoo.conf.backup