Enable SSL EVE PRO with Let’s Encrypt

How To enable SSL  EVE PRO with Let’s Encrypt

Don’t apply this method for EVE-COMMUNITY

Instructions
NOTE: the procedure below require to keep open ports 80 and 443 to have periodic Let’s Encrypt certificate renewal

1. Install certbot

On CLI, copy/paste following lines:

apt update
apt install certbot

2. Stop Apache

systemctl stop apache2

3. Create Let’s encrypt certificate

You need to choose your full site name for this step. This sample will use myeve.example.com

certbot certonly --standalone --preferred-challenges http -d myeve.exemple.com

4. Update Apache config, run these commands in the EVE CLI.

CERT=$(find /etc/letsencrypt/live/ -name fullchain*)
KEY=$(find /etc/letsencrypt/live/ -name priv*)

sed -i --follow-symlinks /etc/apache2/sites-enabled/eveng-ssl.conf -Ee 's,(\s+SSLCertificateFile\s+).+,\1'$CERT',g'
sed -i --follow-symlinks /etc/apache2/sites-enabled/eveng-ssl.conf -Ee 's,(\s+SSLCertificateKeyFile\s+).+,\1'$KEY',g'

5. Restart apache

systemctl start apache2

6. Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

Manual renewal require to have your EVE server reachable from internet using port 80. Disable any security or firewall rule blocking this port if you have such protection.

Use following command for renew:

certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance. Be sure to never restrict accessibility to your server using port 80 to use the crontab method.

Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

crontab -e

Include the following content, all in one line:

crontab
30 2 * * 1 certbot renew --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" >> /var/log/le-renew.log