First, I must say that I had my reverse proxy and ending hiawatha servers working fine with TLS. But when needed to renew the certificate with letsencrypt, things were not clear.
The purpose of this post if to try that you Hugo or other person could shed some light on this.
In the closed topic (that's why I opened this topic) https://www.hiawatha-webserver.org/forum/topic/2766
you say that
You should do the letsencrypt stuff at that reverse proxy. That's the server the Let's Encrypt server will be connecting to. And that's the server the certificate must be installed on.
At another of my topics https://www.hiawatha-webserver.org/forum/topic/2742
you say that
The receiving webserver must be using SSL if the https reverse proxy works. It will of course be using a certificate. By default, Hiawatha doesn't the the validity of that certificate. Use the CAcertificates setting for that.
So this partially invalidates the former message, no? The certificate must be installed on both reverse proxy and receiving server? Should I copy it to the ending server certificate directory after
letsencrypt renew? That's how I accomplished it to work. Or can I use any TLS certificate that the ending server will work anyways?
A brief excerpt of the receiving server, regarding TLS certificates that I've configured is:
(optional] MinTLSversion = 1.2 At the receiving binding for 8443
to where the reverse proxy sends the https
connections: Is this binding optional since at the moment I'm using just one website configured at the VirtualHost?
Define TLScertFile=.... does this have to be the same certificate as the one of the reverse proxy?Inside the VirtualHost
TLScertFile = tls/hinoavida.pt-1.pem
RequireTLS = yes
I'd appreciate some clarification on this.
Once again, many thanks for your work, it's the only webserver I like to try to configure ;-)