How To enable SSL EVE Community with Let’s Encrypt

Don’t apply this method for EVE-PRO

Instructions
Don’t Apply this method for EVE-PRO 1. Install certbot On CLI, copy/paste following lines: apt update apt install certbot 3. Enable SSL module sudo a2enmod ssl sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt 4. Create config file cat << EOF > /etc/apache2/sites-enabled/default-ssl.conf <IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /opt/unetlab/html/ ErrorLog /opt/unetlab/data/Logs/ssl-error.log CustomLog /opt/unetlab/data/Logs/ssl-access.log combined Alias /Exports /opt/unetlab/data/Exports Alias /Logs /opt/unetlab/data/Logs SSLEngine on SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key <FilesMatch "\.(cgi\|shtml\|phtml\|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> <Location /html5/> Order allow,deny Allow from all ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on ProxyPassReverse http://127.0.0.1:8080/guacamole/ </Location> <Location /html5/websocket-tunnel> Order allow,deny Allow from all ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel </Location> </VirtualHost> </IfModule> EOF 5. Create Let’s encrypt certificate You need to choose your full site name for this step. This sample will use www.example.com... certbot --apache -d www.example.com 6. Restat Apache /etc/init.d/apache2 restart Remark: Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The certbot-auto Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance. Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run: crontab -e Include the following content, all in one line: crontab 30 2 * * 1 certbot renew >> /var/log/le-renew.log Annex 2. To disable SSL a2dismod ssl /etc/init.d/apache2 restart

Instructions

Don’t Apply this method for EVE-PRO

1. Install certbot

On CLI, copy/paste following lines:

apt update
apt install certbot

3. Enable SSL module

sudo a2enmod ssl

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

4. Create config file

cat << EOF > /etc/apache2/sites-enabled/default-ssl.conf
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /opt/unetlab/html/
        ErrorLog /opt/unetlab/data/Logs/ssl-error.log
        CustomLog /opt/unetlab/data/Logs/ssl-access.log combined
        Alias /Exports /opt/unetlab/data/Exports
        Alias /Logs /opt/unetlab/data/Logs
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/apache-selfsigned.crt
        SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        <Location /html5/>
                Order allow,deny
                Allow from all
                ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
                ProxyPassReverse http://127.0.0.1:8080/guacamole/
        </Location>

        <Location /html5/websocket-tunnel>
                Order allow,deny
                Allow from all
                ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
                ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
        </Location>
    </VirtualHost>
</IfModule>
EOF

5. Create Let’s encrypt certificate

You need to choose your full site name for this step. This sample will use www.example.com...

certbot --apache -d www.example.com

6. Restat Apache

/etc/init.d/apache2 restart

Remark:

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The certbot-auto Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

crontab -e

Include the following content, all in one line:

crontab

30 2 * * 1 certbot renew >> /var/log/le-renew.log

Annex 2. To disable SSL

a2dismod  ssl
/etc/init.d/apache2 restart