Let's Encrypt and the Hiawatha Webserver

Sunday, 2015-11-08

UPDATE: If you don’t want to read the source code of the Let’s Encrypt tool you’re using, you might as well use the official client, that does a bit more magic. Don’t get me wrong, the official client is open source, too. But it has way more lines of code, so it’s harder to read through. The Hiawatha user VirginSteele posted a four-step tutorial here (scroll down to the entry with the timestamp 12 November 2015, 14:43). One notable difference is, that you don’t need to stop the webserver there, as the letsencrypt-nosudo script I’m using in my tutorial can’t do this yet.

Here’s a quick rundown of how I’ve set up Let’s Encrypt with my favorite webserver. Read yesterday’s post for a more verbose story.

Requirements:

private beta registration and invite (in the future, this won’t be necessary)
python2

Steps:

(Optional) Add a new user for obtaining the certificate on your system:

# Busybox syntax, read the man pages for
# adduser or useradd on your system

root@sabotage ~ # adduser -D -s /bin/zsh letsencrypt
root@sabotage ~ # su - letsencrypt

Download your favorite ACME client. I’ve used letsencrypt-nosudo, but you can probably do pretty much the same thing in manual mode with the official client.

letsencrypt@sabotage ~ % git clone "https://github.com/diafygi/letsencrypt-nosudo.git"
letsencrypt@sabotage ~ % cd letsencrypt-nosudo

Follow the instructions of your ACME client to obtain the certificate, in case of letsencrypt-nosudo they are here.
Your directory should look like this now:

letsencrypt@sabotage ~/letsencrypt-nosudo % ls
LICENSE      domain.csr   sign_csr.py  user.key
README.md    domain.key   signed.crt   user.pub

Download the Let’s Encrypt intermediate certificate:

# wget works fine as well
letsencrypt@sabotage ~/letsencrypt-nosudo % curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > lets-encryt-x1-cross-signed.pem

Now comes the Hiawatha specific part – merge all certificate files into one:

letsencrypt@sabotage ~/letsencrypt-nosudo % cat domain.key signed.crt lets-encryt-x1-cross-signed.pem > letsencrypt_hiawatha.crt

As the root user, move the certificate file, change permissions and ownership.

letsencrypt@sabotage ~/letsencrypt-nosudo % exit
root@sabotage ~ # cd /etc/hiawatha
root@sabotage /etc/hiawatha # mv ~letsencrypt/letsencrypt-nosudo/letsencrypt_hiawatha.crt .
root@sabotage /etc/hiawatha # chown root:root letsencrypt_hiawatha.crt
root@sabotage /etc/hiawatha # chmod 400 letsencrypt_hiawatha.crt

Add the certificate to your hiawatha.conf, in the Binding section for example:

Binding {
	Port = 443
	TLScertFile = /etc/hiawatha/letsencrypt_hiawatha.crt
	...
}

Restart your webserver and you’re done!

robotanarchy

Let's Encrypt and the Hiawatha Webserver