Secure Odoo 18 with SSL/TLS: A Comprehensive HTTPS Setup Guide

Implementing SSL/TLS encryption for your Odoo 18 installation is paramount for ensuring the security of sensitive business data, safeguarding user credentials, and building customer trust. This comprehensive guide will meticulously walk you through the process of setting up free SSL certificates provided by Let's Encrypt and configuring HTTPS to fortify your Odoo instance.

Why SSL/TLS is Crucial for Odoo Security

SSL/TLS encryption offers a multitude of benefits, making it an indispensable component for any modern web application, especially Odoo:

• Data Protection: It encrypts all information exchanged between users and your Odoo server, preventing eavesdropping and tampering.
• Authentication: SSL/TLS verifies the identity of your server to clients, ensuring they are connecting to the legitimate Odoo instance and not a malicious impostor.
• SEO Benefits: Search engines like Google prioritize HTTPS-enabled websites in their search rankings, improving your site's visibility.
• Browser Trust: Contemporary web browsers display warnings or block access to websites that do not utilize HTTPS, potentially deterring users.
• Compliance Requirements: Adhering to industry standards and regulations such as PCI DSS and GDPR often necessitates the use of SSL/TLS.
• Customer Confidence: Demonstrating a commitment to security through HTTPS signals professionalism and helps to build user confidence in your platform.

Prerequisites for SSL/TLS Setup

Before proceeding with the SSL/TLS configuration, ensure that the following prerequisites are met on your server environment:

• Odoo 18 Installation: A functional Odoo 18 instance should be installed, preferably on Ubuntu 24.04 LTS.
• Nginx Reverse Proxy: Nginx must be properly configured to act as a reverse proxy for your Odoo installation.
• Valid Domain Name: You need a registered domain name that is correctly pointing to the public IP address of your Odoo server.
• Firewall Configuration: Ports 80 (HTTP) and 443 (HTTPS) must be open in your server's firewall to allow incoming web traffic.
• Administrative Access: You must have root access or a user with sudo privileges on your server to execute necessary commands.

Step 1: Install Certbot

Certbot is the official client provided by Let's Encrypt, designed to automate the process of obtaining and installing SSL/TLS certificates. Begin by updating your package lists and installing Certbot along with its Nginx plugin:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

After installation, you can verify that Certbot is correctly installed and accessible by checking its version:

certbot --version

Step 2: Prepare Nginx Configuration for SSL

It is essential to ensure that your Nginx server block for Odoo includes the correct domain names. This allows Certbot to properly identify and configure the SSL certificate. Edit your Nginx configuration file for Odoo, typically located at:

sudo nano /etc/nginx/sites-available/odoo18

Confirm that your server block explicitly lists your domain and its www subdomain (if applicable), listening on port 80 for the initial certificate challenge:

server {
    listen 80;
    server_name your-domain.com www.your-domain.com;
    
    # Your existing Odoo reverse proxy configuration
    include /etc/nginx/snippets/odoo-proxy.conf;
}

After making any changes, it is crucial to test your Nginx configuration for syntax errors and then reload the service to apply the updates:

sudo nginx -t
sudo systemctl reload nginx

Step 3: Obtain and Install Your SSL Certificate

With Certbot installed and Nginx prepared, you can now run Certbot to automatically obtain and install a free SSL certificate from Let's Encrypt for your domain. Execute the following command, replacing your-domain.com with your actual domain:

sudo certbot --nginx -d your-domain.com -d www.your-domain.com

During the process, Certbot will guide you through a series of prompts:

1. You will be asked to enter an email address, which will be used for important notices, such as certificate expiry warnings.
2. Review and accept the Let's Encrypt Terms of Service.
3. You will have the option to share your email address with the Electronic Frontier Foundation (EFF), which supports Let's Encrypt. This step is entirely optional.
4. When prompted, select option 2 to redirect all incoming HTTP traffic to HTTPS, ensuring that your Odoo instance is always accessed securely.

Step 4: Verify SSL Configuration

Upon successful completion, Certbot automatically modifies your Nginx configuration file to include the necessary SSL directives. You can inspect the updated configuration by revisiting the Nginx server block file:

sudo nano /etc/nginx/sites-available/odoo18

Your server block for Odoo should now contain entries similar to these, indicating that Certbot has correctly configured HTTPS:

server {
    server_name your-domain.com www.your-domain.com;
    
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    include /etc/nginx/snippets/odoo-proxy.conf;
}

server {
    if ($host = www.your-domain.com) {
        return 301 https://$server_name$request_uri;
    } # managed by Certbot

    if ($host = your-domain.com) {
        return 301 https://$server_name$request_uri;
    } # managed by Certbot

    listen 80;
    server_name your-domain.com www.your-domain.com;
    return 404; # managed by Certbot
}

This configuration ensures that your Odoo instance is now accessible via HTTPS, and all HTTP requests are automatically redirected, providing a secure browsing experience.

Step 5: Enhance SSL Configuration for Optimal Security

To further bolster the security of your Odoo installation and improve its SSL grading, it is highly recommended to implement a custom, modern SSL configuration. Create a new Nginx snippet file for these parameters:

sudo nano /etc/nginx/snippets/ssl-params.conf

Populate this file with the following advanced SSL configurations:

# Modern SSL configuration for enhanced security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

# SSL optimization for performance
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# OCSP stapling to improve performance and privacy
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Security headers for additional protection
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";

Note: You will need to include this ssl-params.conf file within your Nginx server block for Odoo (e.g., in /etc/nginx/sites-available/odoo18) to apply these settings. Remember to test your Nginx configuration (sudo nginx -t) and reload the service (sudo systemctl reload nginx) after making these changes.

By following these steps, your Odoo 18 instance will be securely configured with SSL/TLS, ensuring encrypted communications and a trusted online presence.