Secure Odoo 18 with SSL/TLS: Complete HTTPS Setup Guide

Why SSL/TLS is Essential for Odoo

The integration of SSL/TLS encryption offers a multitude of critical benefits for any Odoo deployment:

• Enhanced Data Protection: All data exchanges between end-users and your Odoo server, including sensitive business data and personal information, are encrypted, making it unreadable to unauthorized parties.
• Server Authentication: SSL/TLS certificates provide a verifiable identity for your server, assuring users that they are connecting to the legitimate Odoo application and not a fraudulent site.
• Significant SEO Advantages: Search engines, particularly Google, prioritize secure HTTPS websites in their search results, which can lead to improved visibility and organic traffic.
• Increased Browser Trust: Contemporary web browsers actively notify users when they access unencrypted HTTP websites, often displaying 'Not Secure' warnings. HTTPS eliminates these warnings, ensuring a seamless and trusted user experience.
• Regulatory Compliance: Adopting SSL/TLS is often a mandatory requirement for various industry standards and data protection regulations, such as PCI DSS (for payment processing) and GDPR (General Data Protection Regulation).
• Professional Credibility: Demonstrating a commitment to security through HTTPS significantly boosts customer confidence and reinforces your organization's professionalism and dedication to safeguarding user data.

Prerequisites

Prior to commencing the SSL/TLS setup, please ensure the following prerequisites are met:

• An operational Odoo 18 instance deployed on Ubuntu 24.04 LTS.
• Nginx configured to function as a reverse proxy for your Odoo application.
• A valid domain name properly configured to point to your server's IP address.
• Ports 80 and 443 are open and accessible through your server's firewall.
• You have either root or sudo access privileges on your server to execute administrative commands.

Step 1: Install Certbot

Certbot is the robust, official client for Let's Encrypt, designed to streamline and automate the process of obtaining and installing SSL/TLS certificates. To install Certbot and its Nginx plugin, execute the following commands in your server's terminal:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Once the installation is complete, you can verify that Certbot has been successfully installed by checking its version:

certbot --version

Step 2: Prepare Nginx Configuration for SSL

Before proceeding, it is crucial to ensure that your Nginx configuration file accurately reflects your domain name. Open your Odoo Nginx server block for editing:

sudo nano /etc/nginx/sites-available/odoo18

Within this file, verify that your primary domain and any aliases are correctly specified in the server_name directive. Your basic server block, listening on port 80, should resemble this structure:

server {
    listen 80;
    server\_name your-domain.com www.your-domain.com;
    
    # Your existing Odoo reverse proxy configuration directives
    include /etc/nginx/snippets/odoo-proxy.conf;
}

After making any necessary adjustments, it is vital to test the Nginx configuration for syntax errors and then reload the service to apply the changes:

sudo nginx -t
sudo systemctl reload nginx

Step 3: Acquire and Install the SSL Certificate Using Certbot

With Nginx prepared, you can now run Certbot to automatically obtain and install the SSL certificate for your specified domain(s). Execute the following command:

sudo certbot --nginx -d your-domain.com -d www.your-domain.com

Certbot will guide you through a series of interactive prompts:

1. You will be asked to enter an email address. This address will be used for urgent renewal notices and security warnings related to your certificate.
2. Review and agree to the Let's Encrypt Terms of Service to proceed.
3. You will have the option to choose whether to share your email address with the Electronic Frontier Foundation (EFF), a non-profit organization supporting digital rights. This step is entirely optional.
4. Finally, Certbot will ask how you'd like to handle HTTP traffic. Select option 2 to automatically redirect all incoming HTTP traffic to HTTPS, ensuring that all connections to your Odoo instance are secure.

Upon successful completion, Certbot will confirm that your certificate has been installed and is actively managing your Nginx configuration.

Step 4: Verify the Successful SSL Installation

After Certbot completes its operation, it automatically modifies your Nginx configuration file to incorporate the new SSL certificate settings and enforce HTTPS redirection. To review these changes, open your Nginx server block once more:

sudo nano /etc/nginx/sites-available/odoo18

You should observe an updated configuration similar to the following, which now includes a new server block listening on port 443 (HTTPS) and a modified port 80 block for redirection:

server {
    server\_name your-domain.com www.your-domain.com;
    
    listen 443 ssl http2; # This block is managed by Certbot for secure HTTPS traffic
    ssl\_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # Path to your full certificate chain
    ssl\_certificate\_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # Path to your private key
    include /etc/letsencrypt/options-ssl-nginx.conf; # Standard SSL options from Certbot
    ssl\_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Diffie-Hellman parameters for perfect forward secrecy
    
    include /etc/nginx/snippets/odoo-proxy.conf; # Your original Odoo reverse proxy settings remain here
}

server {
    # These 'if' blocks ensure all HTTP traffic is permanently redirected to HTTPS
    if ($host = www.your-domain.com) {
        return 301 https://$server\_name$request\_uri;
    } # Managed by Certbot

    if ($host = your-domain.com) {
        return 301 https://$server\_name$request\_uri;
    } # Managed by Certbot

    listen 80;
    server\_name your-domain.com www.your-domain.com;
    return 404; # This ensures that direct HTTP access to port 80 is handled by redirection or returns 404
}

At this point, you should be able to access your Odoo instance securely via HTTPS by navigating to https://your-domain.com in your web browser.

Step 5: Enhance SSL Configuration for Optimal Security

To further strengthen the security posture of your Odoo installation and achieve higher SSL/TLS grades, it is highly recommended to implement a custom SSL parameter configuration. This involves creating a dedicated Nginx snippet. First, create a new configuration file for these parameters:

sudo nano /etc/nginx/snippets/ssl-params.conf

Then, insert the following comprehensive SSL configuration into the newly created file. These settings enforce modern protocols, strong cipher suites, and enhance various security features:

# Modern SSL configuration: Specifies robust and current SSL/TLS protocols
ssl\_protocols TLSv1.2 TLSv1.3;
ssl\_prefer\_server\_ciphers off; # Server defers to client's cipher preference if it's strong enough
ssl\_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

# SSL optimization: Improves performance and security for SSL sessions
ssl\_session\_timeout 1d; # Sets the SSL session timeout
ssl\_session\_cache shared:SSL:10m; # Caches SSL sessions for faster reconnection
ssl\_session\_tickets off; # Disables SSL session tickets for enhanced forward secrecy

# OCSP stapling: Reduces overhead and improves privacy for certificate validation
ssl\_stapling on;
ssl\_stapling\_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s; # Specifies DNS resolvers for OCSP validation
resolver\_timeout 5s;

# Security headers: Mitigate common web vulnerabilities
add\_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # Enforces HTTPS for a year, including subdomains, and preloads into browsers
add\_header X-Frame-Options "SAMEORIGIN"; # Prevents clickjacking by allowing embedding only on the same origin
add\_header X-Content-Type-Options "nosniff"; # Prevents browsers from MIME-sniffing a response away from the declared Content-Type
add\_header X-XSS-Protection "1; mode=block"; # Enables the XSS filter in browsers

After adding the above configuration, you need to include this snippet in your main Nginx server block. Open sudo nano /etc/nginx/sites-available/odoo18 again and locate the server block that listens on 443 ssl http2;. Below the include /etc/letsencrypt/options-ssl-nginx.conf; line, add the following:

include /etc/nginx/snippets/ssl-params.conf;

Your HTTPS server block will then look like this:

server {
    server\_name your-domain.com www.your-domain.com;
    
    listen 443 ssl http2;
    ssl\_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl\_certificate\_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl\_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    include /etc/nginx/snippets/ssl-params.conf; # Newly added line
    
    include /etc/nginx/snippets/odoo-proxy.conf;
}

Finally, test your Nginx configuration for any errors and reload the service to apply these enhanced security settings:

sudo nginx -t
sudo systemctl reload nginx

Your Odoo 18 instance is now configured with a robust and secure HTTPS setup, leveraging free certificates from Let's Encrypt and advanced Nginx SSL parameters for optimal protection and performance.

Conclusion

By diligently following these steps, you have successfully secured your Odoo 18 installation with SSL/TLS encryption. This critical security measure not only protects sensitive data transferred between your server and users but also significantly enhances your website's credibility, improves its search engine ranking, and ensures compliance with modern web security standards. Regular monitoring of your certificate's expiration and ensuring automatic renewals are functioning correctly will maintain this high level of security for your Odoo application.