Forum

hi,
i use debian with iredmail (redirect to https) + i try to install wordpress in var/www/hiawatha/blog,

i succeeded to make letsencrypt files but hiawatha says privkey not found or 509x cert not found.
this is not working:
TLScertFile = /etc/letsencrypt/live/mydomain. com/privkey. pem
i changed privkey with chain, fullchain, cert.pem but all was wrong, refused by hiawatha.
so, i had to # 443 and to use port 80, but iredmail redirect to 443 and i cant install wordpress. annoying.

I tried and this command and again, journalctl - xe said when i restart hiawatha: no x509 cert was found in /etc/ssl/private/privmat.net.key

openssl genrsa -out privmat.net.key 2048

openssl req -new -x509 -key privmat.net.key -out privmat.net.cert -days 3650 -subj /CN=privmat.net

Did you use the Normal and TLS bindings HOWTO?

my experience was because the keys were not all present, after a lot of hassle i gave up doing this manually and started using the letsencrypt tool supplied with hiawatha

this above is not sascha that created topic.
i checked my pem file, it starts with private rsa keys and after that sertificate, so, it is ok, hiawatha - k = ok, netstat tpln shows hiawatha 443 port, when i type website in chrome, it says no connection. it is not working but in terminal, all is ok.

GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log


# BINDING SETTINGS
# A binding is where a client can connect to.
#
#Binding {
#       Port = 80
#}
#
Binding {
        Port = 443
#       TLScertFile = /etc/ssl/private/privmat.net.key
        TLScertFile = privmat.net.pem
#       RequireTLS = yes
        Interface = 127.0.0.1
        MaxRequestSize = 2048
#       TimeForRequest = 30
        TimeForRequest = 5, 30
}

#BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi
#
FastCGIserver {
        FastCGIid = PHP7
        ConnectTo = /run/php/php7.0-fpm.sock
        Extension = php
}


# VIRTUAL HOSTS
# Use a VirtualHost section for each website you want to host.
#
VirtualHost {
        Hostname = privmat.net;
        WebsiteRoot = /var/www/hiawatha/privmat
        StartFile = index.html
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
#}

#VirtualHost {
        Hostname = ospok.privmat.net;
        WebsiteRoot = /v, ar/www/hiawatha/ospok
        AccessLogfile = /var/log/hiawatha/access.log
        ErrorLogfile = /var/log/hiawatha/error.log
        RequireTLS = yes
        StartFile = index.php
        ExecuteCGI = yes
        TimeForCGI = 5
        UseFastCGI = PHP7
        PreventCSRF = yes
        PreventXSS = yes
        PreventSQLi= yes
#       UseToolkit = banshee
#       UseDirectory = static, files
#}

#VirtualHost {
        Hostname = predicsasa.com;
        WebsiteRoot = /var/www/hiawatha/aboutme
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
        StartFile = index.html
#}

#VirtualHost {
        Hostname = blog.predicsasa.com;
        WebsiteRoot = /var/www/hiawatha/newblog
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
        StartFile = index.php
        ExecuteCGI = yes
        TimeForCGI = 5
        UseFastCGI = PHP7
        PreventCSRF = yes
        PreventXSS = yes
        PreventSQLi = yes
#}

#VirtualHost {
        Hostname = oldblog.predicsasa.com;
        WebsiteRoot = /var/www/hiawatha/oldblog
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
        StartFile = index.php
  ExecuteCGI = yes
        TimeForCGI = 5
        UseFastCGI = PHP7
        PreventCSRF = yes
        PreventXSS = yes
        PreventSQLi = yes
#}

#VirtualHost {
        Hostname = photo.predicsasa.com;
        WebsiteRoot = /var/www/hiawatha/photo
        StartFile = index.html
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
#}

#VirtualHost {
        Hostname = mylife.predicsasa.com;
        WebsiteRoot = /var/www/hiawatha/mylife
        StartFile = index.html
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
#}

#}

#VirtualHost {
        Hostname = porodin.predicsasa.com;
        WebsiteRoot = /var/www/hiawatha/porodin
        StartFile = index.html
        AccessLogFile = /var/log/hiawatha/access.log
        ErrorLogFile = /var/log/hiawatha/error.log
        RequireTLS = yes
}

Run your website without HTTPS first and request a certificate via Let's Encrypt. Hiawatha comes with a script for that (see the extra/letsencrypt directory in the source package). Use that key/certificate file to setup HTTPS.

because of problems with tls/ssl, i give u from hiawatha and i will use apache, ateast there are tutorials, already 2 weeks i have problem to install ssl and wordpress, it was easy before 2 years, now hiawatha doesnt recognize private keys in tls folder, each file has private key and cert. we didnt have such problems before 2-3 years, new editions of hiawatha are not better than worse.

Nothing has changed in how Hiawatha reads TLS key and certificate files. So, there must be something else that causes your issue.

just a question, if

# TLScertFile = /etc/ssl/private/privmat.net.key
TLScertFile = privmat.net.pem

is shown this does mean something did change

are the perms for the key set correctly ?
is the key the same as before ?

i switched to using acme.sh but in the end the problem is most likely with letsencrypt.org not the tools, it appears at some moments during the day getting a key is not as reliable as one might expect (in terms of service, not trust)

I don't know what's in that file, so I can't tell. You need to specify the full path to the PEM file, unless it's located in your Hiawatha configuration directory. It must contain both private key and certificate (and any intermediate CA certificate, when available). Hiawatha's Let's Encrypt script does that all for you. I don't know acme.sh, so I don't know what it generates.

It is honestly weird, i recognise the complaints with letsencrypt. You can use a tool again and again until the day it suddenly requires a lot of messing around to get to the same point you ended up before without much fuzz. I don't get it. I started taking notes to make sure what i do wrong or if the letsencrypt service is at times throwing dirt into the gears.