You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

181 lines
6.3 KiB

  1. .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
  2. :alt: License: AGPL-3
  3. =============================================
  4. Request SSL certificates from letsencrypt.org
  5. =============================================
  6. This module was written to have your Odoo installation request SSL certificates
  7. from https://letsencrypt.org automatically.
  8. Installation
  9. ============
  10. After installation, this module generates a private key for your account at
  11. letsencrypt.org automatically in ``$data_dir/letsencrypt/account.key``. If you
  12. want or need to use your own account key, replace the file.
  13. For certificate requests to work, your site needs to be accessible via plain
  14. HTTP, see below for configuration examples in case you force your clients to
  15. the SSL version.
  16. After installation, trigger the cronjob `Update letsencrypt certificates` and
  17. watch your log for messages.
  18. This addon depends on the ``openssl`` binary and the ``acme_tiny`` and ``IPy``
  19. python modules. If you use https in your nginx or apache configuration,
  20. openssl should already be installed.
  21. If you still need to install the OpenSSL binary you can use your distro
  22. package manager. For Debian and Ubuntu, that would be:
  23. sudo apt-get install openssl
  24. For installing the ACME-Tiny python module, use the PIP package manager:
  25. sudo pip install acme-tiny
  26. For installing the IPy python module, use the PIP package manager:
  27. sudo pip install IPy
  28. Configuration
  29. =============
  30. This addons requests a certificate for the domain named in the configuration
  31. parameter ``web.base.url`` - if this comes back as ``localhost`` or the like,
  32. the module doesn't request anything.
  33. If you want your certificate to contain multiple alternative names, just add
  34. them as configuration parameters ``letsencrypt.altname.N`` with ``N`` starting
  35. from ``0``. The amount of domains that can be added are subject to `rate
  36. limiting <https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769>`_.
  37. Note that all those domains must be publicly reachable on port 80 via HTTP, and
  38. they must have an entry for ``.well-known/acme-challenge`` pointing to your odoo
  39. instance.
  40. Usage
  41. =====
  42. The module sets up a cronjob that requests and renews certificates automatically.
  43. After the first run, you'll find a file called ``domain.crt`` in
  44. ``$datadir/letsencrypt``, configure your SSL proxy to use this file as certificate.
  45. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  46. :alt: Try me on Runbot
  47. :target: https://runbot.odoo-community.org/runbot/149/8.0
  48. For further information, please visit:
  49. * https://www.odoo.com/forum/help-1
  50. In depth configuration
  51. ======================
  52. This module uses ``openssl`` to generate CSRs suitable to be submitted to
  53. letsencrypt.org. In order to do this, it copies ``/etc/ssl/openssl.cnf`` to a
  54. temporary and adapts it according to its needs (currently, that's just adding a
  55. ``[SAN]`` section if necessary). If you want the module to use another configuration
  56. template, set config parameter ``letsencrypt.openssl.cnf``.
  57. After refreshing the certificate, the module attempts to run the content of
  58. ``letsencrypt.reload_command``, which is by default ``sudo service nginx reload``.
  59. Change this to match your server's configuration.
  60. You'll also need a matching sudo configuration, like::
  61. your_odoo_user ALL = NOPASSWD: /usr/sbin/service nginx reload
  62. The line above can be added to /etc/sudoers through the visudo command.
  63. If your distribution supports it, like Debian does, you can create and edit
  64. an automatically included file through
  65. ``visudo -f /etc/sudoers.d/letsencrypt``. This will also put the right
  66. authorities on the file (-r--r-----).
  67. The server that provides the certificates will try to check that you actually
  68. control the host that you request a certificate for. It will do this by
  69. requesting through http a file from an uri that contains
  70. ``/.well-known/acme-challenge/xxx``. The letsencrypt module provides a
  71. controller that will provide this uri from the Odoo server, but we have to
  72. configure the frontend nginx or apache server to accept http for these uri's.
  73. Therefore, if you force users to https, you'll need something like this
  74. for nginx::
  75. if ($scheme = "http") {
  76. set $redirect_https 1;
  77. }
  78. if ($request_uri ~ ^/.well-known/acme-challenge/) {
  79. set $redirect_https 0;
  80. }
  81. if ($redirect_https) {
  82. rewrite ^ https://$server_name$request_uri? permanent;
  83. }
  84. and this for apache::
  85. RewriteEngine On
  86. RewriteCond %{HTTPS} !=on
  87. RewriteCond %{REQUEST_URI} "!^/.well-known/"
  88. RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  89. In case you need to redirect other nginx sites to your Odoo instance, declare
  90. an upstream for your odoo instance and do something like::
  91. location /.well-known {
  92. proxy_pass http://yourodooupstream;
  93. }
  94. If you're using a multi-database installation (with or without dbfilter option)
  95. where /web/databse/selector returns a list of more than one database, then
  96. you need to add ``letsencrypt`` addon to serverwide load addons list
  97. (by default, only ``web`` addon), setting ``--load`` option.
  98. For example, ``--load=web,letsencrypt``
  99. Bug Tracker
  100. ===========
  101. Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-tools/issues>`_.
  102. In case of trouble, please check there if your issue has already been reported.
  103. If you spotted it first, help us smashing it by providing a detailed and welcomed feedback
  104. `here <https://github.com/OCA/server-tools/issues/new?body=module:%20letsencrypt%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
  105. Credits
  106. =======
  107. Contributors
  108. ------------
  109. * Holger Brunn <hbrunn@therp.nl>
  110. * Antonio Espinosa <antonio.espinosa@tecnativa.com>
  111. * Ronald Portier <ronald@therp.nl>
  112. ACME implementation
  113. -------------------
  114. * https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py
  115. Icon
  116. ----
  117. * https://helloworld.letsencrypt.org
  118. Maintainer
  119. ----------
  120. .. image:: https://odoo-community.org/logo.png
  121. :alt: Odoo Community Association
  122. :target: https://odoo-community.org
  123. This module is maintained by the OCA.
  124. OCA, or the Odoo Community Association, is a nonprofit organization whose
  125. mission is to support the collaborative development of Odoo features and
  126. promote its widespread use.
  127. To contribute to this module, please visit https://odoo-community.org.