oCoreoCore Docs
User Guide

Domains and DNS

Attach custom domains, manage SSL certificates, configure DNS records, and set IP access rules.

oCore lets you attach custom domains to your Odoo instances, manage SSL/TLS certificates, configure DNS records, and set up IP access control rules. Each instance can have multiple domains with one designated as the primary domain.

Domain Management

Manage custom domains and SSL certificates for your instance.

Open in Dashboard

Adding Custom Domains

Open the instance detail page and navigate to the Domains tab.

Click Add Domain and enter the fully qualified domain name (e.g., erp.example.com).

Configure DNS records at your domain registrar (see DNS Record Requirements below).

Click Verify DNS to confirm the domain resolves to your server. Once verified, oCore provisions an SSL certificate automatically.

curl -X POST https://ocore.example.com/api/instances/{instanceId}/domains \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"domain": "erp.example.com"}'
ocore domain add --instance INSTANCE_UUID --domain erp.example.com

Setting a Primary Domain

One domain per instance is designated as the primary domain. Odoo uses this for generating URLs in emails, reports, and redirects.

curl -X PUT https://ocore.example.com/api/instances/{instanceId}/domains/{domainId}/primary \
  -H "Authorization: Bearer $TOKEN"

Deleting a Domain

curl -X DELETE https://ocore.example.com/api/instances/{instanceId}/domains/{domainId} \
  -H "Authorization: Bearer $TOKEN"

Domain Properties

Each domain tracks:

FieldDescription
domainThe fully qualified domain name
isPrimaryWhether this is the primary domain
isAutoGeneratedWhether oCore generated this domain automatically
sslStatusCertificate status: pending, active, expired, error
sslExpiresAtCertificate expiration date
dnsStatusDNS verification status: pending, verified, failed
dnsProviderDNS provider if managed by oCore
dnsRecordIdProvider-specific DNS record identifier

DNS Record Requirements

Configure these DNS records at your domain registrar or DNS provider:

For a Single Instance

Record TypeNameValue
Aerp.example.comYour server's public IP address

For Wildcard Subdomains

If you want automatic subdomains for all instances on a server:

Record TypeNameValue
A*.ocore.example.comYour server's public IP address

Verifying DNS

After adding DNS records, verify propagation:

# Check A record
dig erp.example.com A +short

# Check from multiple locations
nslookup erp.example.com 8.8.8.8

DNS Propagation

DNS changes can take up to 48 hours to propagate globally, though most propagate within minutes. oCore checks DNS status periodically and provisions the SSL certificate once verification passes.

SSL/TLS Certificate Management

oCore manages SSL/TLS certificates automatically using the server's reverse proxy (Traefik, Nginx, or Nginx Proxy Manager).

Certificate Lifecycle

  1. Provisioning -- Certificate requested after DNS verification passes
  2. Active -- Certificate issued and serving HTTPS traffic
  3. Renewal -- Certificates are renewed automatically before expiration (typically 30 days before)
  4. Expiration -- If renewal fails, the certificate expires and oCore alerts you

SSL Status Values

StatusDescription
pendingCertificate not yet provisioned
activeCertificate valid and serving traffic
expiredCertificate expired -- renewal may have failed
errorCertificate provisioning or renewal failed

Force Certificate Renewal

If automatic renewal fails, delete and re-add the domain to trigger a new certificate provisioning, or check the reverse proxy logs on the server for ACME challenge errors.

Let's Encrypt Rate Limits

If using Let's Encrypt for certificates, be aware of rate limits (50 certificates per registered domain per week). Avoid repeatedly deleting and re-adding the same domain.

DNS Configuration

oCore can manage DNS records for your organization through integrated DNS providers.

Organization DNS Settings

Configure a DNS provider at the organization level to enable automatic DNS record management:

curl https://ocore.example.com/api/dns-configs \
  -H "Authorization: Bearer $TOKEN"

When a DNS provider is configured, oCore can:

  • Automatically create A records when domains are added
  • Update records when server IPs change
  • Clean up records when domains are deleted

Email DNS Configuration

For transactional email delivery, configure SPF, DKIM, and DMARC records:

curl https://ocore.example.com/api/email-config \
  -H "Authorization: Bearer $TOKEN"

IP Access Control

Restrict access to your instances by IP address. This is useful for limiting access to staging environments or adding an extra layer of security to production.

Creating IP Access Rules

# Organization-level rule
curl -X POST https://ocore.example.com/api/org/ip-access-rules \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Office Network",
    "cidr": "203.0.113.0/24",
    "action": "allow"
  }'

# Environment-level rule
curl -X POST https://ocore.example.com/api/environments/{envId}/ip-access-rules \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Office Network",
    "cidr": "203.0.113.0/24",
    "action": "allow"
  }'
ocore ip-access add \
  --name "Office Network" \
  --cidr 203.0.113.0/24 \
  --action allow \
  --scope instance \
  --scope-id INSTANCE_UUID

Rule Properties

FieldDescription
nameFriendly name for the rule
cidrIP address or CIDR range (e.g., 203.0.113.0/24)
actionallow or deny

Rules are scoped by their API endpoint: organization-level (/api/org/ip-access-rules), project-level (/api/projects/{projectId}/ip-access-rules), or environment-level (/api/environments/{envId}/ip-access-rules).

Lockout Prevention

Be careful when configuring deny rules. Always ensure your current IP is in an allow rule to prevent locking yourself out. oCore does not enforce rules on the management API itself, only on Odoo instance access.

Required Permissions

  • Domain management requires manage:instances permission
  • DNS configuration requires manage:org_settings permission
  • IP access rules follow the scope's permission model

Troubleshooting

Domain not verifying

  • Confirm the A record points to the correct server IP: dig erp.example.com A +short
  • Wait for DNS propagation (check with multiple DNS servers)
  • Ensure there are no conflicting CNAME records on the same hostname

SSL certificate not provisioning

  • Verify DNS is resolving correctly first
  • Check that port 80 is open on the server (needed for HTTP-01 challenge)
  • Review the reverse proxy logs for ACME challenge errors
  • Check Let's Encrypt rate limits if you recently deleted and re-added the domain

Custom domain returns 502 Bad Gateway

  • Verify the instance is in running status
  • Check that the reverse proxy is configured to route the domain to the correct port
  • Verify the proxy type setting on the server matches the actual reverse proxy

IP access rule not working

  • Rules take effect within seconds but may require a page refresh
  • Verify the CIDR notation is correct (e.g., /32 for a single IP)
  • Check rule scope -- instance rules only apply to that specific instance
  • Ensure rules are not conflicting (deny rules take precedence)
Was this page helpful?
Edit on GitHub

Error Tracking

Detect, deduplicate, and track Python errors in your Odoo instances with optional GitHub Issue creation.

Git Integration

Connect GitHub, GitLab, or Bitbucket repositories and set up automatic deployments on push.

On this page

Adding Custom DomainsSetting a Primary DomainDeleting a DomainDomain PropertiesDNS Record RequirementsFor a Single InstanceFor Wildcard SubdomainsVerifying DNSSSL/TLS Certificate ManagementCertificate LifecycleSSL Status ValuesForce Certificate RenewalDNS ConfigurationOrganization DNS SettingsEmail DNS ConfigurationIP Access ControlCreating IP Access RulesRule PropertiesRequired PermissionsTroubleshootingDomain not verifyingSSL certificate not provisioningCustom domain returns 502 Bad GatewayIP access rule not working