Ubuntu odoo letsencrypt - Revision history

Karavi: Created page with "'''1/ Install certbot :''' #> sudo apt update #> sudo apt install certbot '''2/ Generate Strong Dh (Diffie-Hellman) Group:''' sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 '''3/ Map `.well-known/acme-challenge` to `/var/lib/letsencrypt` Directory:''' #> sudo mkdir -p /var/lib/letsencrypt/.well-known #> sudo chgrp www-data /var/lib/letsencrypt #
2023-10-27T09:28:06Z

Created page with "'''1/ Install certbot :''' <nowiki>#</nowiki>> sudo apt update <nowiki>#</nowiki>> sudo apt install certbot '''2/ Generate Strong Dh (Diffie-Hellman) Group:''' sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 '''3/ Map <code>.well-known/acme-challenge</code> to <code>/var/lib/letsencrypt</code> Directory:''' <nowiki>#</nowiki>> sudo mkdir -p /var/lib/letsencrypt/.well-known <nowiki>#</nowiki>> sudo chgrp www-data /var/lib/letsencrypt <nowiki>#</nowiki..."

New page
'''1/ Install certbot :'''

<nowiki>#</nowiki>> sudo apt update

<nowiki>#</nowiki>> sudo apt install certbot

'''2/ Generate Strong Dh (Diffie-Hellman) Group:'''

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

'''3/ Map <code>.well-known/acme-challenge</code> to <code>/var/lib/letsencrypt</code> Directory:'''

<nowiki>#</nowiki>> sudo mkdir -p /var/lib/letsencrypt/.well-known

<nowiki>#</nowiki>> sudo chgrp www-data /var/lib/letsencrypt

<nowiki>#</nowiki>> sudo chmod g+s /var/lib/letsencrypt

we can use an Nginx snippet for the mapping and use later in our files

<nowiki>#</nowiki>> sudo nano /etc/nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}

4/ Create a second snippet ssl.conf which includes the chippers:

sudo nano /etc/nginx/snippets/ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

5/ Create your domain nginx bloc:

server {
listen 80;
server_name your.com www.your_domain.com;

include snippets/letsencrypt.conf;
}

6/ Create a symbolic link of your file to sites-enabled folder:

sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/

sudo systemctl restart nginx

Obtain an SSL certificate by running Certbot:

sudo certbot certonly --agree-tos --email test@example.com --webroot -w /var/lib/letsencrypt/ -d your_domain.com -d www.your_domain.com

/etc/nginx/sites-available/your_domain.conf

# Odoo servers
upstream odoo {
server 127.0.0.1:8069;
}

upstream odoochat {
server 127.0.0.1:8072;
}

# HTTP -> HTTPS
server {
listen 80;
server_name www.your_domain.com your_domain.com;

include snippets/letsencrypt.conf;
return 301 https://your_domain.com$request_uri;
}

# WWW -> NON WWW
server {
listen 443 ssl http2;
server_name www.your_domain.com;

ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your_domain.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;

return 301 https://your_domain.com$request_uri;
}

server {
listen 443 ssl http2;
server_name your_domain.com;

proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;

# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;

# SSL parameters
ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your_domain.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;

# log files
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;

# Handle longpoll requests
location /longpolling {
proxy_pass http://odoochat;
}

# Handle / requests
location / {
proxy_redirect off;
proxy_pass http://odoo;
}

# Cache static files
location ~* /web/static/ {
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}

# Gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}

sudo systemctl restart nginx

Useful Tips about Nginx & Odoo :

1/ In your Odoo config file you need to enable the proxy mode by adding :

proxy_mode = True

2/ Enable the multi-processing mode by extending your Odoo config file:

limit_memory_hard = 1677721600
limit_memory_soft = 629145600
limit_request = 8192
limit_time_cpu = 600
limit_time_real = 1200
max_cron_threads = 1
workers = 8