OpenERP-Apache with SSL:

I am writing here, how I configured openerp-apache for SSL support in Ubuntu 10.04

LTS.I believe, this could hold good for most debian based systems.

Installing openerp server and client:

You can read the official document in,

Installing apache and enabling supporting modules:

$ sudo apt-get install apache2

$ sudo a2enmod ssl

$ sudo a2ensite default-ssl

$ sudo /etc/init.d/apache2 restart

$ sudo a2enmod proxy

$ sudo a2enmod proxy_http

$ sudo a2enmod proxy_connect

$ sudo a2enmod proxy_ftp

$ sudo a2enmod headers

$ sudo /etc/init.d/apache2 restart

Generating keys and certificates:

Now you should see the default certificate and key files,

You may use openssl to generate your own certificates.

You can read more in,

Web server configurations:

Edit /etc/apache2/ports.conf and add a new line,
Listen 443
Make sure you don’t have two entries for same port.
If you have static IP and domain name, edit the file /etc/hosts and add a new line,       localhost       selvam-laptop


Proxy setting:

We will use reverse proxy here.

You can read more about reverse proxy in,

To setup Reverse proxy,
Edit /etc/apache2/sites-available/default-ssl and add these lines in the last part.

<Proxy *>

AddDefaultCharset off

Order deny,allow

Allow from all


ProxyRequests Off
ProxyPass   /

ProxyPassReverse /

RequestHeader set “X-Forwarded-Proto” “https”
# Fix IE problem (http error 408/409)

SetEnv proxy-nokeepalive 1


The same file should already contain the lines,

SSLEngine on

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Postgres permissions:

Add postgres user to the ssl-cert group by,

usermod -aG ssl-cert postgres

Change the permission of key file like below,

chmod -R 650 /etc/ssl/private/

It should look like,
drw-r-x— 2 root ssl-cert  4096 2010-10-26 00:14 private

Otherwise you may face error “Can not read server.key file, permission denied”

on postgres start.

To make sure the key file is accessible, login as postgres user and use,

$cat /etc/ssl/private/ssl-cert-snakeoil.key

The symbolic links from postgres will look like,

$  ls -l /var/lib/postgresql/8.4/main/s*

lrwxrwxrwx  1 postgres ssl-cert   36 2010-10-25 19:55 server.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx  1 postgres ssl-cert   38 2010-10-25 19:55 server.key -> /etc/ssl/private/ssl-cert-snakeoil.key

Openerp-Web Configuration:

update the openerp-web.cfg with,

server.socket_host = “”

tools.proxy.on = True


base_url_filter.use_x_forwarded_host = False

base_url_filter.base_url = “;

tools.csrf.on = False

Starting Server:

$ sudo /etc/init.d/apache2 restart

$ sudo /etc/init.d/postgresql-8.4 force-reload

Restart the openerp-web.

Restart the openerp-server as,

openerp-server –secure –cert-file=/etc/ssl/certs/ssl-cert-snakeoil.pem –pkey-file=/etc/ssl/private/ssl-cert-snakeoil.key

You can use -s to save configuration to ~/.openerp_serverrc

Now, you should be able to access, as well as


If you face any errors in accessing the final site,

You could see the output of error log to figure out the issue,

$tail -f /var/log/apache2/error.log



2 Comments (+add yours?)

  1. sjitendra
    Dec 23, 2010 @ 17:19:15

    Thank you.. It’s working..Nice Blog
    But, I have one problem… not accessing the website with domain name in lan excluding localhost machine for application


  2. Mario Andrés Correa
    Feb 26, 2011 @ 21:34:39

    On it right now.. Good post! Gonna twitt it..


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: