Starting the EveBox Server with TLS¶
Before TLS can be used a private key and certificate must be obtained. EveBox provides a tool to generate a self signed certificate if a certificate cannot be obtained through other means.
Enabling TLS on the Command Line¶
Specify the filename of the TLS certificate file.
Specify the filename of the TLS private key. May be ommitted if the certificate file is a bundle containing the key.
evebox --tls --tls-cert cert.pem --tls-key key.pem
Enabling TLS in the Configuration File¶
TLS can be enabled in the configuration file under
http: tls: enabled: true certificate: /path/to/cert.pem key: /path/to/key.pem
Creating a Self Signed Certificate¶
EveBox ships with a tool to generate self signed TLS certificates.
evebox gencert -o evebox.pem
Full usage of
Usage of gencert: --duration int Duration that certificate is valid for in days (default 365) --hostname string Hostname or IP address (one or more, comma separated) --org string Organization name (default "EveBox User") -o, --outputFilename string Output file (eg. evebox.pem)
EveBox supports self managing TLS certificates from Lets Encrypt if the following conditions are met:
- The server can listen on port 443 (automatically set with the
--letsencryptcommand line option.
- EveBox is reachable publically with a DNS hostname, as required by the Acme protocol.
Due to the requirement of being publically reachable this is probably not useful for most users.
Say your EveBox host is reachable at “demo.evebox.org”, you would start EveBox like:
evebox server --letsencrypt demo.evebox.org
This will start the EveBox server on port 443 with TLS certificates automatically provisioned from Lets Encrypt.
As this requires listening on port 443, you will need to make sure the user running EveBox has the ability to bind to port 443.
On Linux a program may be given the ability to bind to a privileged port by setting the appropriate capability, for example:
setcap 'cap_net_bind_service=+ep' /usr/bin/evebox