Forum

I'm following the instructions provide in https://www.hiawatha-webserver.org/howto/bindings that are (at least I think so) meant for a self-signed certificate.
Although it's not the best option, I obtained a free SSL certificate from the chinese company WoSign, just to begin with. Afterwards I can change it, but for now, I'd like to know how to build the 'serverkey.pem' shown in the above mentioned hiawatha's url.
The Wosign zip file came with other zip files specific for Apache, Nginx, IIS and other browsers. The other browsers' bundle has three certificates: 1_cross_Intermediate.crt, 2_issuer_Intermediate.crt, 3_user_mydomain.pt.crt

Wosign is not yet included in the Apple certificate store, but it seems that it's not a problem since it's cross-signed by the StartCom CA (source and instructions I followed to obtain a Wosign certificate: https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html)

So, should I include all the three certificates I received from WoSign after the server private key always with a `echo "" >>` blank line in between? In which order to do so? Private key, 1_cross_intermediate, 2_issuer_intermediate and at the end 3_user_mydomain.pt.crt? Another order?

The order should be:

1: private key
2: user_mydomain.pt.crt
3: issuer_intermediate.crt
4: cross_intermediate.crt

Hi Hugo,

Thank you for your help.

I've build the pem file in the order you shown. Now the problem is that although hiawatha starts fine, it's not possible to visit https pages.
When Result
http://myserver.pt fine, url changes to http://www.myserver.pt/some.php
http://www.myserver.pt fine, url just adds /some.php
https://myserver.pt fine, url changes to http://www.myserver.pt/some.php [NOTE: http, not https]
https://www.myserver.pt Secure Connection Failed
An error occurred during a connection to www.myserver.pt.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

My config of hiawatha.conf is as follows: (relevant parts)

Binding {
        Port = 80
        MaxKeepAlive = 30
        TimeForRequest = 5,30
        MaxRequestSize = 512
}

Binding {
        Port = 443
        MaxKeepAlive = 30
        TimeForRequest = 5,30
}

VirtualHost {
        Hostname = myserver.pt
        UseToolkit = redirect
        WebsiteRoot = /usr/local/www/prestashop
}

VirtualHost {
        Hostname = www.myserver.pt
        WebsiteRoot = /usr/local/www/prestashop
        StartFile = index.php
        UseFastCGI = phpfpm0
        TLScertFile = /usr/local/etc/hiawatha/myserver.pt.pem
}

UrlToolkit {
        ToolkitID = redirect
        Match ^/(.*) Redirect http://www.myserver.pt/$1
}

So, there are two problems:
1. the redirect from https://myserver to http
2. the error when acessing https://www.myserver

How to solve these issues?

1. Hiawatha never does a redirect from https to http, so the application Hiawatha is server must be responsible for that. I can't change that.
2. I don't know. I've never seen that error. Is your certificate valid for both www.myserver.pt and myserver.pt?

Hi Hugo,

Regarding 1, I got it covered already, sorry for my ignorance on the subject.

To try to find the problem of 2., I deleted the certificate from WoSign and generated a new self-signed certificate according to your instructions in the '.../bindings' url mentioned above.

Stopped Hiawatha and went for Apache 2.4.
The problem of 2. has also been found by other people when using Apache: http://stackoverflow.com/questions/119336/ssl-error-rx-record-too-long-and-apache-ssl
In Apache, things are a bit different and configured SSL cert and key according to requisites. Loaded a kernel module accf_http.ko, since my machine is a FreeBSD 10.2 one, to enable filtering that is required by mod_ssl. The https worked fine.

Then came back to Hiawatha. Placed the TLScertFile inside the VirtualHost record, tried it and got the same error as in the first post:
"SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)"
After other attempts, removed the TLScertFile from the VirtualHost record and placed it in the Binding record regarding port 443. The site worked fine with SSL.

So, what am I doing wrong as not to be able to choose the certificate only for this VirtualHost?
I enabled and disabled the 'EnableAccf = yes' option in the Binding record, but saw no difference. Should it be enabled in my FreeBSD box? What is this option useful for?

Luis

I know what you did wrong. You configured port 443 to speak HTTP, not HTTPS. Add the TLScertFile option to the 443 binding as well.

Binding {
        Port = 443
        MaxKeepAlive = 30
        TimeForRequest = 5,30
        TLScertFile = /usr/local/etc/hiawatha/myserver.pt.pem
}

Only a binding that has a TLScertFile option is considered an TLS/SSL binding. The port number is not relevent for that.

Ah, ok,

Regarding the 'EnableAccf = yes', is it recommended for FreeBSD? For what purposes?

Thank you!

I be honest, I have no idea. It was a feature request by a FreeBSD user. I don't use FreeBSD myself. Maybe this manpage [www.freebsd.org] clears things up.