Let’s encrypt is a non-profit organization certificate authority established to provide SSL. Their service completely free of cost. The certificates are valid for 3 months, but we can automate the renewal process.
Before doing this, please note that following things need to be replaced by relevant values. I don’t think it needs further explanation.
- MyServerName
- MyAdminEmailAddress
- MyServerAddress
This is tested on Ubuntu 14.04 server running Odoo 9.
Install Apache2
First we need to install the Apache2 server. If you already running it, good – skit these.
|
1 2 3 4 5 6 |
sudo apt-get install apache2 sudo a2enmod ssl sudo a2enmod rewrite sudo a2enmod proxy_http sudo a2enmod headers sudo service apache2 restart |
Install Let’s Encrypt SSL
Below is an excellent article on this, install it and come back.
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
- Download certbot
- Setup certificate – Use your erp domain name for generating certificate.
- setup auto renewal – don’t forget to do this step.
Add Odoo.conf file
|
1 2 |
cd /etc/apache2/sites-available sudo nano odoo.conf |
- Add following lines in odoo.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
<VirtualHost *:80> ServerName MyServerName ServerAdmin MyAdminEmailAddress Redirect permanent / https://MyServerAddress/ TransferLog /var/log/apache2/transfer.localhost.log ErrorLog /var/log/apache2/error.localhost.log </VirtualHost> <VirtualHost *:443> ServerName MyServerName ServerAdmin MyAdminEmailAddress <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/MyServerAddress/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/MyServerAddress/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/MyServerAddress/chain.pem ProxyRequests Off ProxyPass / http://MyServerAddress:8069/ ProxyPassReverse / http://MyServerAddress:8069/ ProxyErrorOverride off TransferLog /var/log/apache2/transfer.localhost.log ErrorLog /var/log/apache2/error.localhost.log CustomLog /var/log/apache2/ssl.localhost.log combined #Fix IE problem (httpapache proxy dav error 408/409) SetEnv proxy-nokeepalive 1 RequestHeader set "X-Forwarded-Proto" "https" </VirtualHost> |
Edit Ports.conf
|
1 2 |
cd /etc/apache2 sudo nano ports.conf |
- Add following content in ports.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# /etc/apache2/ports.conf #NameVirtualHost *:80 Listen 80 <IfModule ssl_module> # NameVirtualHost *:443 Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
Enable Odoo configuration
|
1 2 3 |
sudo a2ensite odoo sudo service apache2 restart sudo nano /etc/apache2/apache2.conf |
Add following content to the last line of apache2.conf
|
1 |
ServerName MyServerName |
Additional security and testing
- Read this article for further improving SSL security : https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
- After everything, test using ssllabs.com
Hi Basheer,
Seems that a line is incorrect in Odoo.conf:
“ngine on” should be “SSLEngine on”
Thanks for the article!
Yes. Thanks for the correction.