Secure Odoo 18 with SSL/TLS: Complete HTTPS Setup Guide

Implementing SSL/TLS encryption for your Odoo 18 installation is a critical step in protecting sensitive business data, securing user credentials, and building trust with your customers. This comprehensive guide will meticulously walk you through the process of setting up free SSL certificates using Let's Encrypt and configuring HTTPS for your Odoo instance, ensuring a robust and secure environment.

Why SSL/TLS is Essential for Odoo

SSL/TLS encryption is more than just a security feature; it's a fundamental requirement for modern web applications like Odoo. It offers numerous benefits that contribute to data integrity, user confidence, and overall system reliability:

• Data Protection: SSL/TLS encrypts all data transmitted between users and your Odoo server, safeguarding sensitive information such as login credentials, financial transactions, and personal data from eavesdropping and interception.
• Authentication: It verifies your server's identity to users, ensuring they are connecting to the legitimate Odoo instance and not a malicious imposter. This prevents man-in-the-middle attacks.
• SEO Benefits: Search engines, notably Google, prioritize HTTPS-secured websites in their search rankings. Implementing SSL can significantly improve your website's visibility and organic traffic.
• Browser Trust: Modern web browsers prominently display security indicators (like a padlock icon) for HTTPS sites. Conversely, they issue warnings or display "Not Secure" messages for non-HTTPS sites, which can deter users.
• Compliance: Adherence to various industry standards and regulations, such as PCI DSS (Payment Card Industry Data Security Standard) and GDPR (General Data Protection Regulation), often mandates the use of SSL/TLS encryption for data in transit.
• Customer Confidence: Demonstrating a commitment to security by encrypting your Odoo instance fosters greater trust among your clients and users, showcasing professionalism and responsibility.

Prerequisites

Before you begin the SSL/TLS setup for your Odoo 18 instance, ensure that the following prerequisites are met. These steps are crucial for a smooth and successful installation:

• Odoo 18 installed on Ubuntu 24.04 LTS: Your Odoo application should be fully operational on the specified operating system.
• Nginx configured as a reverse proxy: Nginx should be set up to proxy requests to your Odoo instance. This is essential for managing web traffic and handling SSL termination.
• A valid domain name pointing to your server: Your domain name (e.g., your-domain.com) must be correctly configured to resolve to the public IP address of your Odoo server.
• Port 80 and 443 open in your firewall: These ports are necessary for HTTP and HTTPS traffic, respectively, to reach your Nginx server. Ensure your firewall (e.g., UFW) allows incoming connections on both ports.
• Root or sudo access to your server: You will need administrative privileges to install packages, modify configuration files, and manage system services.

Step 1: Install Certbot

Certbot is the recommended and official client for Let's Encrypt, designed to automate the process of obtaining and installing SSL/TLS certificates. Begin by updating your package list and installing Certbot along with its Nginx plugin:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Once the installation is complete, it's good practice to verify that Certbot has been successfully installed and is accessible from your system's PATH:

certbot --version

Step 2: Prepare Nginx Configuration

For Certbot to correctly identify and configure your domain, your Nginx server block must be properly defined. Ensure that your Nginx configuration includes the correct server_name directives for your domain and its variations (e.g., with and without 'www').

Open your Nginx configuration file for your Odoo instance, typically located at /etc/nginx/sites-available/odoo18:

sudo nano /etc/nginx/sites-available/odoo18

Your server block for port 80 should resemble the following structure, listening for traffic on your specified domain names:

server {
    listen 80;
    server_name your-domain.com www.your-domain.com;
    
    # Your existing configuration for Odoo proxying
    include /etc/nginx/snippets/odoo-proxy.conf;
}

After making any changes, it is essential to test the Nginx configuration for syntax errors and then reload the service to apply the new settings:

sudo nginx -t
sudo systemctl reload nginx

Step 3: Obtain SSL Certificate

With Certbot installed and Nginx prepared, you can now proceed to obtain and install your free SSL/TLS certificate from Let's Encrypt. Execute the Certbot command, specifying the --nginx plugin and your domain names:

sudo certbot --nginx -d your-domain.com -d www.your-domain.com

Certbot will guide you through a series of interactive prompts:

1. You will be asked to enter your email address. This is used for urgent renewal notices and security warnings.
2. You must agree to the Let's Encrypt Terms of Service to proceed.
3. You will have the option to choose whether to share your email address with the Electronic Frontier Foundation (EFF), which supports Let's Encrypt. This is entirely optional.
4. Crucially, select option 2 when prompted, which configures Nginx to automatically redirect all incoming HTTP traffic to HTTPS, ensuring all connections are secure.

Upon successful completion, Certbot will automatically modify your Nginx configuration to include the new SSL certificates and set up the necessary redirects.

Step 4: Verify SSL Installation

Certbot's primary function is to automate the SSL setup, which includes making changes to your Nginx configuration file. To confirm that the SSL certificate has been correctly installed and configured, inspect the updated Nginx server block:

sudo nano /etc/nginx/sites-available/odoo18

You should observe new directives within your Nginx configuration, similar to the example below. These lines indicate that Nginx is now listening on port 443 for HTTPS traffic and is configured to use the Let's Encrypt certificates:

server {
    server_name your-domain.com www.your-domain.com;
    
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    include /etc/nginx/snippets/odoo-proxy.conf;
}

server {
    if ($host = www.your-domain.com) {
        return 301 https://$server_name$request_uri;
    } # managed by Certbot

    if ($host = your-domain.com) {
        return 301 https://$server_name$request_uri;
    } # managed by Certbot

    listen 80;
    server_name your-domain.com www.your-domain.com;
    return 404; # managed by Certbot
}

This configuration redirects all HTTP traffic on port 80 to its HTTPS equivalent on port 443, effectively enforcing secure communication across your Odoo instance.

Step 5: Enhance SSL Configuration

While Certbot provides a secure baseline, you can further enhance the security and performance of your SSL configuration by implementing a custom Nginx snippet. This allows for more granular control over SSL protocols, ciphers, and security headers.

Create a new Nginx snippet file for your advanced SSL parameters:

sudo nano /etc/nginx/snippets/ssl-params.conf

Add the following content to the newly created file. These directives configure modern TLS protocols, strong cipher suites, SSL session optimization, OCSP stapling for faster certificate validation, and crucial security headers like Strict-Transport-Security (HSTS).

# Modern SSL configuration for enhanced security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

# SSL optimization for better performance
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# OCSP stapling for faster certificate validation and improved privacy
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Security headers to protect against common web vulnerabilities
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

Once you've added this snippet, remember to include it in your main Nginx server block for the Odoo domain (within the server { listen 443 ssl ... } block) to activate these enhanced settings. Then, test and reload Nginx.