uWebSockets icon indicating copy to clipboard operation
uWebSockets copied to clipboard

Published 20 hours ago verified publisher icon uNetworking

Print warnings on not being able to load certificates

Open epsilon-0 opened this issue 4 years ago • 9 comments

I have an SSL app, which ran but all SSL connections failed as the certificates were with incorrect permissions (system admin had messed up).

Knowing that the problem was with the loading of certificates would have been helpful to debug. It took us really long to figure out it was a file issue and not an OpenSSL version issue.
Is there a way to have debug information with the library, so we can catch errors like this?

Thanks, Aisha

epsilon-0 avatar Nov 27 '20 16:11 epsilon-0

Didn't the listen function just fail?

ghost avatar Nov 30 '20 20:11 ghost

No, it didn't fail. :open_mouth: Trying to read the files was causing an ENOENT error but the listen proceeded and the server was running.

epsilon-0 avatar Nov 30 '20 20:11 epsilon-0

Possibly related, just to add:

  • I had an SSLApp silently fail (just returns empty response) when I accidentally used port 80, instead of 443.
  • ca_file_name isn't mentioned on https://unetworking.github.io/uWebSockets.js/generated/interfaces/appoptions.html, but I found it at https://github.com/uNetworking/uWebSockets/blob/master/src/App.h#L38. It still worked though even without providing it (maybe not needed at all).

I'm on Ubuntu 20.04, uWebSockets.js v18.12.0

joshxyzhimself avatar Jan 03 '21 15:01 joshxyzhimself

Update: it looks like it only works on chrome desktop, but not on firefox desktop and chrome android.

I've tried the following but no luck:

let app = null;
let port = null;

const endpoint_domain = 'mydomain.com';
const key_file_name = `/etc/letsencrypt/live/${endpoint_domain}/privkey.pem`;
const cert_file_name = `/etc/letsencrypt/live/${endpoint_domain}/cert.pem`;
const ca_file_name = `/etc/letsencrypt/live/${endpoint_domain}/chain.pem`;

if (fs.existsSync(key_file_name) === true) {
  assert(fs.existsSync(cert_file_name) === true);
  assert(fs.existsSync(ca_file_name) === true);

  app = uws.SSLApp({ key_file_name, cert_file_name, ca_file_name });
  port = 443;
} else {
  app = uws.App({});
  port = 8080;
}

Edit: solved with using the following:

  1. using privkey and fullchain
const key_file_name = `/etc/letsencrypt/live/${endpoint_domain}/privkey.pem`;
const cert_file_name = `/etc/letsencrypt/live/${endpoint_domain}/fullchain.pem`;
  1. using a separate instance for ports 80 and 443. in prod, port 80 instance could simply be a redirect to https://mysite.com/.

Edit: how do I mark my comment as outdated lol.

joshxyzhimself avatar Jan 03 '21 16:01 joshxyzhimself

Maybe this should be tied up with logging

ghost avatar Jan 19 '21 06:01 ghost

There also seems to be no warnings/errors if uWS is compiled without "WITH_OPENSSL=1" . It compiles and executes without using an ssl context even when the code tells it to.

lolirelia avatar Mar 16 '21 16:03 lolirelia

Should the cert_file_name be changed to fullchain_file_name or cert_ca_file_name?

fullchain.pem = cert.pem + ca.pem, right?

joshxyzhimself avatar Mar 17 '21 00:03 joshxyzhimself

Renaming things is always fun but breaks backwards compatibility. So even a bad name kept is better than a good name introduced in many cases. You still are allowed to pass only cert, it works both ways.

ghost avatar Mar 17 '21 00:03 ghost

fullchain_file_name is a good name, it can be added as an alias

uNetworkingAB avatar Nov 06 '22 04:11 uNetworkingAB