SSL Certificates

SSL Certificates

SSL Certificates

New SSL Certificate Initialization

If you want to activate SSL certificate and run Oempro with https://, please follow the listed steps below.

Important: This article is valid for Oempro v4.9.1 Docker and higher versions.

On the server that runs Oempro v4.9.1+ Docker version, go to the Oempro directory and then SSH login to the “oempro_haproxy” container:

$ docker exec -ti oempro_haproxy bash

Request the Let’s Encrypt SSL certificate:

certbot certonly --standalone -d \
--non-interactive --agree-tos --email \
HEADS UP! If you’re going to use multiple domains for open/read tracking (under delivery settings), you can add all these domains to the command above with multiple -d parameters.

Certbot will verify the domain and then issue the certificate. Here’s an example output:

$ certbot certonly --standalone -d \
>     --non-interactive --agree-tos --email \
>     --http-01-port=8888
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-03-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

In order to make the certificate usable by HAProxy, you need to combine certificates. Go to oempro/_dockerfiles/letsencrypt/live/ folder, and run;

$ cat | tee

Edit the _dockerfiles/haproxy.cfg file, uncomment HTTPS related two lines:

# Enable these two lines if you have activated LetsEncrypt SSL
#bind *:443 ssl crt /etc/letsencrypt/live/
#redirect scheme https if !{ ssl_fc }

Make sure that you have replaced with your actual domain.

TIP: If you’ve multiple certificates to set for HAProxy, add .pem files separating by space. Example:

# Enable these two lines if you have activated LetsEncrypt SSL (multiple pem files)
#bind *:443 ssl crt /etc/letsencrypt/live/ crt /etc/letsencrypt/live/ crt /etc/letsencrypt/live/
#redirect scheme https if !{ ssl_fc }

If you make a change on haproxy.cfg file or on Dockerfile-haproxy file, simply follow these steps:

$ docker-compose build haproxy
$ docker-compose kill haproxy
$ docker-compose up -d haproxy

Don’t forget to edit /opt/oempro/data/ and change the value of APP_URL from “http://” to “https://”

Adding New Domains To The SSL Certificate

If you would like to add a new domain to your existing SSL certificate, simply use the following command to expand your current SSL certificate:

certbot certonly --standalone --expand -d <certificate_name>,<new_domain_to_add> --non-interactive --agree-tos --email --http-01-port=8888

SSL Certificate Renewals

To renew the certificate every three months, run this command inside oempro_haproxy Docker container:

$ certbot renew --tls-sni-01-port=8888 --allow-subset-of-names

After renewing the certificate, run the following command:

$ cat | tee

To apply changes, restart the HAProxy Docker container:

$ docker-compose build haproxy
$ docker-compose kill haproxy && docker-compose up -d haproxy

Footer Social Icons

©Copyright Octeth, Inc. All rights reserved.