Howto get certificate on reverse proxy running hiawatha webserver


I am working on an howto to use the hiawatha webserver as reverse proxy. You might want that because it can ban hackers ip’s when they are trying XSS, injection DOS and so on.

Anyway, a reverse proxy config looks like:

VirtualHost {
Hostname =
ReverseProxy .*
RequireTLS = yes
TLScertFile = /etc/letsencrypt/live/
WebsiteRoot /var/www/hcs

if you want to get letsencrypt certificates for many websites behind this secured webproxy you can do this by this trick:

1- copy the config but delete lines with reverse proxy. You are taking the backend website offline effectively,
2- server the domains locally
3- run letsencrypt for your domain
4- switch the config back
5- restart

Improvements on my clunky code are always welcome… :slight_smile:

update multiple certificates


TIMESTAMP=date --rfc-3339 seconds | sed 's/ /-/'
echo “Time is $TIMESTAMP"
####we will get certificates for the following domains in hiawatha.conf

mkdir /root/tmp
cp $CONFIG /root/tmp/hiawatha.conf$TIMESTAMP
cp $CONFIG /root/tmp/hiawatha.confbackup

lets take all TLS and reverse proxy config out while updating, serving only one local website

cat /root/tmp/hiawatha.confbackup | egrep -v “ReverseProxy|RequireTLS|TLScertFile” > $CONFIG
/etc/init.d/hiawatha restart
echo “website is offline, will get the certs now” & sleep 3
for i in echo $DOMAINS ; do
echo "getting certs for $i"
cd /root/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i --server
sleep 33 # can take a while
###if all is well we have a new certificate, but we need to adjust it to hiawatha pem format
echo "certs $i are in lets make a pem"
cat $LECROOT/$i/privkey.pem $LECROOT/$i/cert.pem $LECROOT/$i/chain.pem > $LECROOT/$i/hiawatha-hc.pem
chown www-data:www-data $LECROOT/$i/hiawatha-hc.pem
chmod 440 $LECROOT/$i/hiawatha-hc.pem
echo "pemfile is $LECROOT/$i/hiawatha-hc.pem"
sleep 3

#copy back the original configfile
cp /root/tmp/hiawatha.confbackup $CONFIG
sleep 1
/etc/init.d/hiawatha restart


See my notes for letsencrypt on a hiawatha reverse proxy .

I use the webroot method without takng the proxy or websites down.