Odoo 16.0 and Postgresql SSL authentification

In this article, we will explore how to securely connect Odoo to a PostgreSQL server using SSL certificates. By utilizing SSL certificates for authentication, we can enhance security beyond the traditional username and password method.


We will provide a comprehensive guide on generating the necessary SSL certificates and configuring PostgreSQL to use these certificates. This secure method of authentication is particularly beneficial when the PostgreSQL server and the Odoo server are on different networks, ensuring data integrity and protection against unauthorized access.

Generating SSL Certificates

To set up an SSL connection between Odoo and PostgreSQL, you'll need to generate the necessary SSL certificates. This includes creating a Certificate Authority (CA), server certificate, and client certificate. Here’s a step-by-step guide:

Certificate Authority Generation (CA)

First, generate a private key for your CA:

openssl genrsa -out ca.key 4096

Then, create a CA certificate using the private key:

openssl req -new -x509 -key ca.key -out ca.crt -days 3650

You’ll be prompted to enter information about your organization. Fill this out as needed.

Generate SSL certificates for Postgresql Server

Generate a private key for the PostgreSQL server:

openssl genrsa -out server.key 4096

Create a certificate signing request (CSR):

openssl req -new -key server.key -out server.csr

Sign the server certificate with your CA

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

Set the correct permissions for the server key:

chmod 600 server.key

Generate SSL certificates for Client 

Generate a private key for the client:

openssl genrsa -out client.key 4096

Create a CSR for the client:

openssl req -new -key client.key -out client.csr

Sign the client certificate with your CA:

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

Configurations

Configuring PostgreSQL for SSL

Now that we have the necessary certificates, we need to configure PostgreSQL to use SSL.

cp server.crt server.key ca.crt /var/lib/postgresql/data

Edit the postgresql.conf file to enable SSL

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'ca.crt'


Do not forget to add the listening address to "*"


listen_addresses = '*'


Edit the pg_hba.conf file to require SSL for client connections:


hostssl all all 0.0.0.0/0 cert

Restart PostgreSQL to apply the chsanges:


sudo systemctl restart postgresql

Configuring Odoo to Use SSL

To configure Odoo to connect to PostgreSQL over SSL, you need to specify the SSL parameters in the Odoo configuration file (usually odoo.conf):

[options]
db_host = postgres
db_name = odoo
db_user = odoo
db_sslmode = verify-full

Odoo is not passing all the db_[VALUE] to psycopg2 so you might find on the web that you can use db_sslkey and db_sslcert but it is actually not working. 


The other option to pass information to the psycogp2 library is to pass environment variables.

export PGSSLCERT=/home/odoo/client.crt
export PGSSLKEY=/home/odoo/client.key
export PGSSLROOTCERT=/home/odoo/ca.crt

Replace the paths with the actual paths to your client certificates and the CA certificate.

Conclusion

By following these steps, you can set up a secure SSL connection between Odoo and PostgreSQL, enhancing the security of your data, especially when the servers are on different networks. This method of authentication not only helps in protecting sensitive data but also ensures compliance with security standards.


For more detailed information, you can refer to the official PostgreSQL and Odoo documentation. If you encounter any issues, the community forums and support channels are valuable resources for troubleshooting.

Odoo Database Neutralization