Forum

First, I must say that I had my reverse proxy and ending hiawatha servers working fine with TLS. But when needed to renew the certificate with letsencrypt, things were not clear.
The purpose of this post if to try that you Hugo or other person could shed some light on this.

In the closed topic (that's why I opened this topic) https://www.hiawatha-webserver.org/forum/topic/2766 you say that

At another of my topics https://www.hiawatha-webserver.org/forum/topic/2742 you say that

So this partially invalidates the former message, no? The certificate must be installed on both reverse proxy and receiving server? Should I copy it to the ending server certificate directory after

letsencrypt renew

? That's how I accomplished it to work. Or can I use any TLS certificate that the ending server will work anyways?

A brief excerpt of the receiving server, regarding TLS certificates that I've configured is:
(optional] MinTLSversion = 1.2

At the receiving binding for 8443 to where the reverse proxy sends the https connections: Is this binding optional since at the moment I'm using just one website configured at the VirtualHost?
Define TLScertFile=.... does this have to be the same certificate as the one of the reverse proxy?

Inside the VirtualHost
TLScertFile = tls/hinoavida.pt-1.pem
RequireTLS = yes

I'd appreciate some clarification on this.
Once again, many thanks for your work, it's the only webserver I like to try to configure ;-)

The webserver that's directly connected to the internet and will receive the initial connection, needs to hold a valid certificate. All other webservers behind that first proxying webserver only need a certificate if the one before it doesn't do SSL termination (in other words, continue to use HTTPS for the next connection). If you don't set CAcertificates, Hiawatha can't check the connections it sets up. In that case, the webservers it connects to doesn't need to have a valid certificate, just a certificate (can even be self signed).