RequiredCA and "SSL_accept(): protocol error"

4 December 2010, 17:44

I'm trying to setup Linux machine with Hiawatha + MySQL + Redmine and so far I have succeeded to configure and run Redmine thanks to Hiawatha Forum.
Here is my configuration:
ServerId = redmine
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

Binding {
Port = 443
SSLcertFile = /etc/hiawatha/serverkey.pem
# RequiredCA = /etc/hiawatha/serverkey.pem

Hostname =
WebsiteRoot = /srv/http/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

include /etc/hiawatha/redmine.conf

FastCGIserver {
FastCGIid = redmine_fcgi
ConnectTo =

UrlToolkit {
ToolkitID = redmine_toolkit
RequestURI isfile Return
Match .* UseFastCGI redmine_fcgi

VirtualHost {
Hostname =
WebsiteRoot = /home/redmine/redmine/public
UseFastCGI = redmine_fcgi
UseToolkit = redmine_toolkit
RequireSSL = yes

With configuration above everithing runs fine, but when I uncomment RequiredCA in hiawatha.conf I get from time to time following console messages:
SSL_accept(): protocol error

but page is loaded with artifacts (missing images, ...).
After a while Hiawatha stops responding to browser requests but console messages descibed above are still showed (debug version, hiawatha -d).
I test it with following browsers:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729))
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100401 Firefox/3.6.3

Here is my certificate:
<private key>


This certificate is generated with openssl by following steps described in Hiawatha HOWTO: Normal and SSL bindings []. As additional step I converted serverkey.pem to serverkey.p12 so I can import it in Mozilla certificate repository.
openssl pkcs12 -export -in serverkey.pem -out serverkey.p12

I have doubts that generated certificate may be an inappropriate.
I will appreciate any given directions.

Best regards,

Hiawatha version: Hiawatha v7.4, cache, debug, IPv6, Monitor, SSL, URL toolkit, XSLT
Operating System: Linux 2.6.36-ARCH #1 SMP PREEMPT Wed Nov 24 06:44:11 UTC 2010 i686
Hugo Leisink
4 December 2010, 20:10
SSLcertFile should point to the file containing the private key and certificate to be used by the webserver. RequiredCA should point to the file containing the certificate of the CA from which the certificate in SSLcertFile is created.

In other words, you need to create a CA with OpenSSL and from that CA, create a certificate for your webserver. RequiredCA should point to the CA certificate file.

I've written a howto for OpenSSL, but it's in Dutch. It think that if you translate it via Google Translate, it's quite readable. You can read it here [].
5 December 2010, 11:47
Hello Hugo,

thank you very much for pointing me article above.

Best regards,
This topic has been closed.