Hiawatha 10.2 and Let's Encrypt certificates

This is my first attempt at using Let's Encrypt. Let's Encrypt is an SSL Certificate Authority -- which is completely free and open.

To make things easier, I'm using Hugo Leisink's Let's Encrypt script - more details on this can be found here: https://www.hiawatha-webserver.org/weblog/110

1. Add my repository

yum install http://rpm.chaidas.com/rpm.chaidas.com-0.1-1.x86_64.rpm

2. Install Hiawatha 10.2

yum install hiawatha

3. Make sure you have pointed a DNS record to the server already - in this example I will use the staging.weirdbricks.com:

dig staging.weirdbricks.com +short
69.87.216.105

Note: Do not skip this step, otherwise a Let's Encrypt certificate cannot be issued!

4. Get the script and untar it:

cd /tmp
wget https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz
tar -xzf letsencrypt.tar.gz
cd letsencrypt

5. Install PHP-CLI and the php-process module at a minimum

yum install php-cli php-process

6. Open the file letsencrypt.conf - at a minimum you have to change the `ACCOUNT_EMAIL_ADDRESS` - in my case:

from:

ACCOUNT_EMAIL_ADDRESS = info@example.org

to:

ACCOUNT_EMAIL_ADDRESS = lampros@chaidas.com

7. Exit and save - once done register your account with the command:

./letsencrypt register

Sample output:

./letsencrypt register
Generating account key.
Registering account.
Account registered successfully.

8. We need to create a Hiawatha Virtual Host before we move any further.

Create a subdirectory for your configurations:

mkdir -pv /etc/hiawatha/conf.d

9. Tell Hiawatha to include all configs under `/etc/hiawatha/conf.d`:

echo "Include /etc/hiawatha/conf.d" >> /etc/hiawatha/hiawatha.conf

10. Tell hiawatha to run as user and group hiawatha:

useradd -s /sbin/nologin -M hiawatha
sed -i -- 's/ServerId = www-data/ServerId = hiawatha:hiawatha/g' /etc/hiawatha/hiawatha.conf

11. Now add `/etc/hiawatha/conf.d/staging.weirdbricks.com.conf` with content:

VirtualHost {
 Hostname = staging.weirdbricks.com
 WebsiteRoot = /var/www/html/staging
 StartFile = index.html
 AccessLogfile = /var/log/hiawatha/staging-access.log
 ErrorLogfile = /var/log/hiawatha/staging-error.log
}

12. Create the WebsiteRoot directory:

mkdir -pv /var/www/html/staging

13. Add a minimalistic index.html file:

echo "<html><title>hello</title></html>" > /var/www/html/staging/index.html

14. Fix ownership:

chown -R hiawatha: /var/www/html/staging

15. Restart Hiawatha:

service hiawatha restart

16. Make sure you have an output directory and request your certificate:

mkdir -pv /etc/hiawatha/tls/
./letsencrypt request staging.weirdbricks.com

I got the following output:

Authorizing staging.weirdbricks.com.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Generating RSA key.
Generating CSR.
Retrieving certificate.
Using /etc/hiawatha/tls/staging.weirdbricks.com.pem as output file.

-----BEGIN PRIVATE KEY-----
....
....
REDACTED
....
....
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
....
....
REDACTED
....
....
-----END CERTIFICATE-----

Retrieving CA certificate.
-----BEGIN CERTIFICATE-----
....
....
REDACTED
....
....
-----END CERTIFICATE-----

17. Now remember - the above is testing only - to get a proper cert, edit `letsencrypt.conf`:

Comment out line 23:

#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing

and uncomment line 22:

LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production

18. Now re-register:

./letsencrypt register

Output:

./letsencrypt register
Registering account.
Account registered successfully.

19. And re-request a cert:

./letsencrypt request staging.weirdbricks.com

Output:

Authorizing staging.weirdbricks.com.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Generating RSA key.
Generating CSR.
Retrieving certificate.
Using /etc/hiawatha/tls/staging.weirdbricks.com.pem as output file.

20. Now that we have the cert let's go ahead and change our Hiawatha bindings:

Edit the file /etc/hiawatha/hiawatha.conf and change this:

#Binding {
# Port = 443
# TLScertFile = ssl/hiawatha.pem
# Interface = 127.0.0.1
# MaxRequestSize = 2048
# TimeForRequest = 30
#}

to:

Binding {
 Port = 443
 TLScertFile = /etc/hiawatha/tls/staging.weirdbricks.com.pem
 MaxRequestSize = 2048
 TimeForRequest = 30
}

Also edit /etc/hiawatha/conf.d/staging.weirdbricks.com.conf - from this:

VirtualHost {
 Hostname = staging.weirdbricks.com
 WebsiteRoot = /var/www/html/staging
 StartFile = index.html
 AccessLogfile = /var/log/hiawatha/staging-access.log
 ErrorLogfile = /var/log/hiawatha/staging-error.log
}

to this - this way it will require TLS:

VirtualHost {
 Hostname = staging.weirdbricks.com
 WebsiteRoot = /var/www/html/staging
 StartFile = index.html
 AccessLogfile = /var/log/hiawatha/staging-access.log
 ErrorLogfile = /var/log/hiawatha/staging-error.log
 RequireTLS = yes
}

21. Restart Hiawatha:

service hiawatha restart

22. Then I tried visiting staging.weirdbricks.com and got the following:

undefined

23. Finally confirmed with the SSL checker: