Print warnings on not being able to load certificates

[epsilon-0]

I have an SSL app, which ran but all SSL connections failed as the certificates were with incorrect permissions (system admin had messed up).

Knowing that the problem was with the loading of certificates would have been helpful to debug. It took us really long to figure out it was a file issue and not an OpenSSL version issue.
Is there a way to have debug information with the library, so we can catch errors like this?

Thanks,
Aisha

[ghost]

Didn't the listen function just fail?

[epsilon-0]

No, it didn't fail. 😮
Trying to read the files was causing an ENOENT error but the listen proceeded and the server was running.

[joshxyzhimself]

Possibly related, just to add:

• I had an SSLApp silently fail (just returns empty response) when I accidentally used port 80, instead of 443.
• ca_file_name isn't mentioned on https://unetworking.github.io/uWebSockets.js/generated/interfaces/appoptions.html, but I found it at https://github.com/uNetworking/uWebSockets/blob/master/src/App.h#L38. It still worked though even without providing it (maybe not needed at all).

I'm on Ubuntu 20.04, uWebSockets.js v18.12.0

[joshxyzhimself]

Update: it looks like it only works on chrome desktop, but not on firefox desktop and chrome android.

I've tried the following but no luck:

let app = null;
let port = null;

const endpoint_domain = 'mydomain.com';
const key_file_name = `/etc/letsencrypt/live/${endpoint_domain}/privkey.pem`;
const cert_file_name = `/etc/letsencrypt/live/${endpoint_domain}/cert.pem`;
const ca_file_name = `/etc/letsencrypt/live/${endpoint_domain}/chain.pem`;

if (fs.existsSync(key_file_name) === true) {
  assert(fs.existsSync(cert_file_name) === true);
  assert(fs.existsSync(ca_file_name) === true);

  app = uws.SSLApp({ key_file_name, cert_file_name, ca_file_name });
  port = 443;
} else {
  app = uws.App({});
  port = 8080;
}

Edit: solved with using the following:

1. using privkey and fullchain

const key_file_name = `/etc/letsencrypt/live/${endpoint_domain}/privkey.pem`;
const cert_file_name = `/etc/letsencrypt/live/${endpoint_domain}/fullchain.pem`;

2. using a separate instance for ports 80 and 443. in prod, port 80 instance could simply be a redirect to https://mysite.com/.

Edit: how do I mark my comment as outdated lol.

[ghost]

Maybe this should be tied up with logging

[lolirelia]

There also seems to be no warnings/errors if uWS is compiled without "WITH_OPENSSL=1" . It compiles and executes without using an ssl context even when the code tells it to.

[joshxyzhimself]

Should the cert_file_name be changed to fullchain_file_name or cert_ca_file_name?

fullchain.pem = cert.pem + ca.pem, right?

[ghost]

Renaming things is always fun but breaks backwards compatibility. So even a bad name kept is better than a good name introduced in many cases. You still are allowed to pass only cert, it works both ways.

[uNetworkingAB]

fullchain_file_name is a good name, it can be added as an alias