问题

正常可以在Let's Encrypt申请SSL证书。
Eve-NG官网有相关教程。
http://www.eve-ng.net/documentation/howto-s/82-howto-enable-letsencrypt-on-eve-2

但是，因为80和443端口被封的原因，有可能会报错。

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.com
   Type:   connection
   Detail: Fetching
   http://xxx.com/.well-known/acme-challenge/FNqnQqFIpQiqy_PcuIOD6vegvFc0W4F1aMGkmjbf51k:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

所以需要找找其它方法。

步骤

sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot 
sudo certbot certonly --manual --preferred-challenge dns -d xxx.com

按提示步骤走，需要设置txt record。
Google有工具可以检查txt record是否生效。
https://toolbox.googleapps.com/apps/dig/

成功的话会出现提示信息。

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/eve-ng.xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/eve-ng.xxx.com/privkey.pem
   Your cert will expire on 2018-12-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

这里会生成4个pem文件，但只需要用到fullchain.pem和privkey.pem。

执行以下命令

cat << EOF > /etc/apache2/sites-enabled/default-ssl.conf

填入下列内容，注意SSLCertificateFile和SSLCertificateKeyFile路径需要改一下。

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /opt/unetlab/html/
        ErrorLog /opt/unetlab/data/Logs/ssl-error.log
        CustomLog /opt/unetlab/data/Logs/ssl-access.log combined
        Alias /Exports /opt/unetlab/data/Exports
        Alias /Logs /opt/unetlab/data/Logs
        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/eve-ng.xxx.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/eve-ng.xxx.com/privkey.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        <Location /html5/>
                Order allow,deny
                Allow from all
                ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
                ProxyPassReverse http://127.0.0.1:8080/guacamole/
        </Location>

        <Location /html5/websocket-tunnel>
                Order allow,deny
                Allow from all
                ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
                ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
        </Location>
    </VirtualHost>
</IfModule>
EOF

之后重启Apache服务

/etc/init.d/apache2 restart

参考链接

https://blog.csdn.net/conghua19/article/details/81433716
http://www.eve-ng.net/documentation/howto-s/82-howto-enable-letsencrypt-on-eve-2