Table of Contents

  1. Introduction

  2. Why HTTPS Matters for Dolibarr

  3. Understanding SSL/TLS and HTTPS Basics

  4. Pre-requisites for HTTPS Implementation

  5. Choosing the Right SSL Certificate

  6. Installing SSL on Common Web Servers

    • Apache

    • Nginx

  7. Configuring Virtual Hosts for HTTPS

  8. Forcing HTTPS in Dolibarr Configuration

  9. Updating Dolibarr Base URL to HTTPS

  10. Redirecting All Traffic to HTTPS

  11. Handling Mixed Content Warnings

  12. Verifying SSL Installation and Certificate Validity

  13. HTTPS and Module Interoperability

  14. Using Let’s Encrypt for Free SSL

  15. Automatic Renewal and Cron Jobs for SSL

  16. Testing and Validating Secure Access

  17. Security Headers to Add After HTTPS Setup

  18. HTTPS in Multicompany and Subdomain Configurations

  19. Performance Considerations with HTTPS

  20. Conclusion


1. Introduction

HTTPS is no longer optional—it's a necessity. When using Dolibarr ERP/CRM to manage sensitive business data, secure communication between users and the server is critical. This guide explains how to configure Dolibarr to use HTTPS securely and effectively.


2. Why HTTPS Matters for Dolibarr

Using HTTPS protects:

  • User login credentials

  • Financial and customer data

  • Uploaded documents and form submissions

Without HTTPS, these can be intercepted via man-in-the-middle (MITM) attacks.

HTTPS also improves SEO and user trust, and it's often required for features like OAuth authentication or secure APIs.


3. Understanding SSL/TLS and HTTPS Basics

  • SSL and TLS are cryptographic protocols that provide security.

  • HTTPS is HTTP layered over SSL/TLS.

  • Certificates validate domain ownership and encrypt traffic.

Dolibarr itself doesn’t handle encryption—it relies on the web server (Apache, Nginx, etc.).


4. Pre-requisites for HTTPS Implementation

  • A valid domain name (not just an IP address)

  • A publicly reachable server (or internal CA for intranet)

  • Administrative access to your web server

  • Dolibarr properly installed and functional on HTTP


5. Choosing the Right SSL Certificate

Options include:

  • Let’s Encrypt: Free, widely supported, auto-renewable

  • Commercial SSL: For longer validity and warranties

  • Wildcard SSL: Covers subdomains (useful in multicompany setups)

For most use cases, Let’s Encrypt is ideal and cost-effective.


6. Installing SSL on Common Web Servers

Apache Example (Ubuntu):

sudo apt update
sudo apt install certbot python3-certbot-apache
sudo certbot --apache

Nginx Example:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx

Follow the prompts to generate and install the certificate.


7. Configuring Virtual Hosts for HTTPS

For Apache:

<VirtualHost *:443>
  ServerName yourdomain.com
  DocumentRoot /var/www/dolibarr/htdocs
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
</VirtualHost>

For Nginx:

server {
  listen 443 ssl;
  server_name yourdomain.com;
  ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
  root /var/www/dolibarr/htdocs;
}

8. Forcing HTTPS in Dolibarr Configuration

Edit htdocs/conf/conf.php:

$dolibarr_main_force_https = 1;

This tells Dolibarr to redirect all HTTP requests to HTTPS automatically.


9. Updating Dolibarr Base URL to HTTPS

In Dolibarr:

  • Go to Setup > Other Setup

  • Update any URLs containing http:// to https://

  • Especially relevant for document paths and external links


10. Redirecting All Traffic to HTTPS

Apache (via .htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx:

server {
  listen 80;
  server_name yourdomain.com;
  return 301 https://$host$request_uri;
}

11. Handling Mixed Content Warnings

Mixed content occurs when HTTPS pages load HTTP resources:

  • Update image, script, CSS links to https://

  • Use relative paths where possible

  • Scan templates and custom modules for hardcoded URLs

Use browser dev tools (Console tab) to identify insecure elements.


12. Verifying SSL Installation and Certificate Validity

Tools:

Check for:

  • Expiration dates

  • Intermediate certificate chain

  • Correct domain and wildcard coverage


13. HTTPS and Module Interoperability

Some modules (e.g., OAuth, payment gateways, APIs) require HTTPS. Ensure:

  • Callback URLs use https://

  • Token exchanges are secure

  • External integrations don’t fail silently due to protocol mismatch


14. Using Let’s Encrypt for Free SSL

Let’s Encrypt is ideal for small to medium businesses:

  • Automatic validation

  • No cost

  • Wide compatibility

Certbot handles domain verification and certificate deployment.


15. Automatic Renewal and Cron Jobs for SSL

Let’s Encrypt certs expire every 90 days. Set up renewal:

sudo crontab -e
0 2 * * * /usr/bin/certbot renew --quiet

Test renewal manually:

sudo certbot renew --dry-run

16. Testing and Validating Secure Access

Once configured:

  • Access Dolibarr using https://yourdomain.com

  • Test login, file uploads, API calls

  • Verify that sessions don’t fall back to HTTP


17. Security Headers to Add After HTTPS Setup

Enhance HTTPS with:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"

These headers protect against common web attacks.


18. HTTPS in Multicompany and Subdomain Configurations

Each subdomain must:

  • Have its own certificate (or wildcard)

  • Be configured in the web server

  • Be linked to its entity in Dolibarr

Ensure correct redirects and SSL coverage per domain.


19. Performance Considerations with HTTPS

Modern HTTPS is optimized:

  • Use HTTP/2 for faster multi-request delivery

  • Enable GZIP compression

  • Use caching headers for static assets

SSL overhead is minimal on modern servers.


20. Conclusion

Securing your Dolibarr ERP with HTTPS is essential to protect your data, comply with best practices, and enable secure integrations. From certificate installation to full HTTPS enforcement, following these steps will ensure your instance is safe, trusted, and reliable.