Koozali.org: home of the SME Server

SME-9.2, PostgreSQL-10.4, Collection RH-PHP70/RH-Python36 & Odoo-11

Offline michelandre

  • *
  • 261
  • +0/-0
Re: SME-9.2, PostgreSQL-10.4, Collection RH-PHP70/RH-Python36 & Odoo-11
« Reply #15 on: June 24, 2018, 08:01:19 AM »
Hi all,

I found a solution that solves all the problems. It is not elegant but, it works.

On the main server connected to the Internet:
- Create an odoo.toto.org domain that points to one of the i-bay (not important which one).
- Create a custom-template

Code: [Select]
# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

# cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives  \
                    /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

***** ***** 25SSLDirectives
{
    if ( $port eq "80" && $virtualHost eq "odoo.toto.org")
    {
        $OUT .= "    \n";
        $OUT .= "    # Pour la redirection d'Odoo.\n";
        $OUT .= "    Redirect / https://odoo.toto.org/\n";
    }

    return "    # skipping SSL directives\n" unless $port eq "443";
   
    return "" unless $modSSL{'status'} eq 'enabled';

    $OUT =  <<SSL_END;
    # SSL Directives
    SSLEngine on
SSL_END

    if ( $virtualHost eq "odoo.toto.org" )
    {
        $OUT .= "    \n";
        $OUT .= "    # Pour la redirection, avec spĂ©cification de port\n";
        $OUT .= "    ProxyPass / http://192.168.1.11:8069/ retry=0\n";
        $OUT .= "    ProxyPassReverse / http://192.168.1.11:8069/\n";
    }
}
***** *****
# expand-template /etc/httpd/conf/httpd.conf

# /etc/rc.d/init.d/httpd-e-smith restart

All is working fine except the connection is not secure. After Investigation, the problem is from the Let's Encrypt Certificate.

- I delete the custom-template on the main server but kept the domain odoo.toto.org
- At the registrar of toto.org, I add CNAMEs: www.odoo, http.odoo, https.odoo and ftp.odoo all pointing to @.
- In /etc/dehydrated/domains.txt, I added: www.odoo.toto.org odoo.toto.org ftp.odoo.toto.org.
- Ask a new certificate by running: "/etc/dehydrated/dehydrated -c", all went well and *.toto.org were in the certificate.
- Redo the custom-template // # expand-template /etc/httpd/conf/httpd.conf  // # /etc/rc.d/init.d/httpd-e-smith restart

All is running perfectly. I can login and it is always a secure connection.
What I suspect, but I am not sure about it, is that Odoo is running a front end web and rejects the secure connection if the certificate is not correct.

Also:
* Firefox/64bits and TOR are not good browsers for testing Odoo. After login, they do not display the complete page, only the left side.
* Firefox/32bits and Chrome worked correctly.

The problem with this solution is the renewal of the Certificate. The challenge for odoo.toto.org will end up into the local Odoo server...
* A solution (which I don't like) will be to: disable the Let's Encrypt cron / do a cron running at 04h05 to disable the reverse-proxy / call the dehydrated script / re-enable the reverse-proxy.
* Another solution is to put the Odoo server directly on the Internet (which I don't like also).

There should be a better way to do this Let's Encrypt thing...

What will happen if I create another domain on the main server called: toto.org?
- Let's Encrypt will resolve correctly.
- odoo.toto.org will be considered a sub-domain of toto.org and the certificate will be good.
- Access Server Manager locally with 192.168.1.11/server-manager

Any help appreciated,

Michel-André
« Last Edit: June 24, 2018, 08:17:17 AM by michelandre »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SME-9.2, PostgreSQL-10.4, Collection RH-PHP70/RH-Python36 & Odoo-11
« Reply #16 on: June 24, 2018, 11:39:51 AM »
I think you are venturing into XY territory here.

http://xyproblem.info/

I think oodoo running on a different machine was part of your problem, but as you didn't say that originally, you have driven your wagon & horses up the wrong track.

Simply, the main server that fronts the internet needs a reverse proxy to the oodoo on a different host/machine.

The oodoo box does not need any proxy stuff on it. Just the main internet facing box.

You then need a host on the main box pointing to the oodoo IP, a template for letsencrypt to get your letsencrypt certs on the main box, and hook script copy them to the oodoo box. Or use the updated letsencrypt contrib in smetest which will allow you to get certs on the main box for other hosts without requiring said override template.

Note that all of that is dependent on you having described things correctly......

In essence, scrap what you have done, and go back to the start.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation