This page is part of a static HTML representation of the TiddlyWiki at https://tiddlywiki.com/

Using HTTPS

 11th November 2021 at 2:36am

By default, TiddlyWiki's WebServer serves resources over the insecure HTTP protocol. The risk is minimal if it is only being used within a private, trusted network but in many situations it is desirable to use a secure HTTPS connection.

HTTPS requires the server to be configured with a certificate via a "cert" file and a "key" file, configured via the tls-cert and tls-key parameters.

Introduced in v5.2.2 The optional tls-passphrase parameter allows the server to use certificate files that have been generated with a passphrase/password.

Certificates can be obtained from a certification authority such as https://letsencrypt.org/, or you can create a self-signed certificate for internal testing.

To create the required certificate files with the popular openssl utility:

openssl req -newkey rsa:2048 -new -nodes -keyout mywikifolder/key.pem -out mywikifolder/csr.pem
openssl x509 -req -days 365 -in mywikifolder/csr.pem -signkey mywikifolder/key.pem -out mywikifolder/server.crt
tiddlywiki mywikifolder --listen username=joe password=bloggs tls-key=key.pem tls-cert=server.crt

If using a tls-passphrase to generate the certificate files, the commands would change as below:

  • remove the -nodes flag, which specifies "no encryption"
  • replace TLS_PASSPHRASE in the -passout and -passin parameters in the below commands with your chosen string.

This is the simplest, but least secure method, of passing a passphrase to the certificate utility. See this Stack Exchange anwser on openssl certificates and the openssl and openssl-passphrase-options page in the openssl utility documentation.

openssl req -newkey rsa:2048 -passout pass:TLS_PASSPHRASE -new -keyout mywikifolder/key.pem -out mywikifolder/csr.pem -passout pass:TLS_PASSPHRASE
openssl x509 -req -days 365 -in mywikifolder/csr.pem -signkey mywikifolder/key.pem -out mywikifolder/server.crt -passin pass:TLS_PASSPHRASE
tiddlywiki mywikifolder --listen username=joe password=bloggs tls-key=key.pem tls-cert=server.crt tls-passphrase=TLS_PASSPHRASE