📘 SSL Setup (v4.9.1+, Docker)

If you want to activate SSL certificate and run Oempro with https://, please follow the listed steps below.

Important: This article is valid for Oempro v4.9.1 Docker and higher versions.

On the server that runs Oempro v4.9.1+ Docker version, go to the Oempro directory and then SSH login to the “oempro_haproxy” container:

$ docker exec -ti oempro_haproxy bash

Request the Let’s Encrypt SSL certificate:

certbot certonly --standalone -d oempro.domain.com \
--non-interactive --agree-tos --email your@email.com \
--http-01-port=8888

HEADS UP! If you’re going to use multiple domains for open/read tracking (under delivery settings), you can add all these domains to the command above with multiple -d parameters.

Certbot will verify the domain and then issue the certificate. Here’s an example output:

$ certbot certonly --standalone -d oempro.domain.com \
>     --non-interactive --agree-tos --email your@email.com \
>     --http-01-port=8888
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oempro.domain.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oempro.yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oempro.yourdomain.com/privkey.pem
   Your cert will expire on 2020-03-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

In order to make the certificate usable by HAProxy, you need to combine certificates. Go to oempro/_dockerfiles/letsencrypt/live/ folder, and run;

$ cat mydomain.com/fullchain.pem mydomain.com/privkey.pem | tee mydomain.com/mydomain.com.pem

Edit the _dockerfiles/haproxy.cfg file, uncomment HTTPS related two lines:

# Enable these two lines if you have activated LetsEncrypt SSL
#bind *:443 ssl crt /etc/letsencrypt/live/mydomain.com/mydomain.com.pem
#redirect scheme https if !{ ssl_fc }

Make sure that you have replaced mydomain.com with your actual domain.

TIP: If you’ve multiple certificates to set for HAProxy, add .pem files separating by space. Example:

# Enable these two lines if you have activated LetsEncrypt SSL (multiple pem files)
#bind *:443 ssl crt /etc/letsencrypt/live/mydomain.com/mydomain.com.pem crt /etc/letsencrypt/live/mydomain.com/mydomain2.com.pem crt /etc/letsencrypt/live/mydomain.com/mydomain3.com.pem
#redirect scheme https if !{ ssl_fc }

If you make a change on haproxy.cfg file or on Dockerfile-haproxy file, simply follow these steps:

$ docker-compose build haproxy
$ docker-compose kill haproxy
$ docker-compose up -d haproxy

Don’t forget to edit /opt/oempro/data/config.inc.php and change the value of APP_URL from “http://” to “https://”

To renew the certificate every three months, run this command inside oempro_haproxy Docker container:

$ certbot renew --tls-sni-01-port=8888

After renewing the certificate, run the following command:

$ cat mydomain.com/fullchain.pem mydomain.com/privkey.pem | tee mydomain.com/mydomain.com.pem

To apply changes, restart the HAProxy Docker container:

$ docker-compose build haproxy
$ docker-compose kill haproxy
$ docker-compose up -d haproxy
  • The article was helpful
  • The article was not helpful

0 voters