How do I setup Let's Encrypt with the Web Reports?

Article ID: 421
Category: Web Reports
Applies to: 4.1.1
Updated: 2024-03-19

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Their service offers free TLS/SSL certificates and can be used with the EventSentry Web Reports.

Step 1: Download the Win-ACME client

  • Navigate to Win-ACME with your web browser: https://www.win-acme.com/
  • Download the latest zip file
  • Extract: win-acme...x64.pluggable.zip C:\Program Files\win-acme\

Important Note: Your WebReports installation must be accessible from the internet on port 80, and your domain must be publicly resolved by DNS servers in order to LetsEncrypt can verify the domain and issue the certificate.

Step 2: Create the certificate

  • Launch an elevate command prompt
  • Run the Win-ACME client: wacs.exe (Some Windows will display a warning sign preventing the application to run, click on More info and then Run)
M: Create new certificate (full options)
2: Manual input
demo.example.com
<ENTER>
4: Single Certificate
1: [http] Save verification files on (network) path
C:\Program Files\EventSentry\WebReports\web\webapps\ROOT\WEB-INF\application
N: no
2: RSA key
1: IIS Central Certificate Store (.pfx per domain)
C:\Program Files\EventSentry\WebReports\conf
1: No password
5: No (additional) store steps
3: No (additional) installation steps

Note: During the process of validating the domain you may see the error "Preliminary validation failed because 'An error occurred while sending the request.'", that error pop ups sometimes, but the process finish valid.

Step 3: Setup Web Reports with certificate:

Configure a TLS connector by editing the server.xml file, by default located in:
(Default file location: c:\Program Files\EventSentry\WebReports\web\conf)

1
2
3
4
5
6
7
8
<Connector port="8443" protocol="HTTP/1.1" relaxedQueryChars="[]" 
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="C:\Program Files\EventSentry\WebReports\conf\demo.example.com.pfx" 
           keystorePass=""
           keystoreType="PKCS12" 
           sslEnabledProtocols="TLSv1.2"/>

If you would also like to disable HTTP, look for this connector:

1
2
3
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

Either delete it or comment it out (enclose it in <!-- and -->)

Step 4: Restart EventSentry Web Reports service

After restarting the "EventSentry Web Reports" service, navigate to https://demo.example.com:8443 to test & access the web reports through TLS.

Step 5: Scheduling the TLS renewal

Now that the web reports are running with a valid certificate, it's recommended to automatically renew the certificate since Let's Encypt only issues ceritificates for 90-days at a time. Running the wacs.exe command with the --renewal flag will check the certificate's expiration date and automatically renew your certification 55-days after creation. This provides you with an adequate amount of time to resolve any issues that may arise when renewing your certificate.

You can utilize the EventSentry's Application Scheduler to check for updates every day at 9AM:

As an alternative, you can also schedule the command with the Windows Task Scheduler:

1
2
3
4
5
6
Adding Task Scheduler entry with the following settings
 - Name win-acme renew (acme-v02.api.letsencrypt.org)
 - Path C:\Program Files\win-acme
 - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 - Start at 09:00:00
 - Time limit 02:00:00