Mercurial > p > roundup > code
changeset 8031:0f5d31be5418
issue2551219 - use of PEM file with roundup-server
Document requirements of PEM file when using roundup-server in SSL/TLS
mode in the config.ini generated by roundup-server --save-config.
Trap errors produced by missing cert or key when reading a pem file
and try to produce a more useful error.
Man page already had correct documentation. However because man pages
are justified, the marker lines get additional internal spacing. Use
example macros to prevent this spacing in case somebody cuts/pastes
the marker lines.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 08 Jun 2024 04:52:59 -0400 |
| parents | 6d1b62ffbb5d |
| children | ce1e65af97fb |
| files | CHANGES.txt roundup/scripts/roundup_server.py share/man/man1/roundup-server.1 |
| diffstat | 3 files changed, 38 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Thu Jun 06 20:23:31 2024 -0400 +++ b/CHANGES.txt Sat Jun 08 04:52:59 2024 -0400 @@ -170,6 +170,10 @@ requests where the file is not modified. (John Rouillard) - Update JWT example in rest.py to use replacement for datetime.datetime.utcnow(). (John Rouillard) +- issue2551219 - document requirements of PEM file when using + roundup-server in SSL/TLS mode. Report better error messages + when PEM file is missing certificate or private key. (John + Rouillard) Features:
--- a/roundup/scripts/roundup_server.py Thu Jun 06 20:23:31 2024 -0400 +++ b/roundup/scripts/roundup_server.py Sat Jun 08 04:52:59 2024 -0400 @@ -137,8 +137,18 @@ self.socket = socket.socket(self.address_family, self.socket_type) if ssl_pem: ctx = SSL.Context(SSL.TLSv1_2_METHOD) - ctx.use_privatekey_file(ssl_pem) - ctx.use_certificate_file(ssl_pem) + try: + ctx.use_privatekey_file(ssl_pem) + except SSL.Error: + print(_("Unable to find/use key from file: %(pemfile)s") % {"pemfile": ssl_pem}) + print(_("Does it have a private key surrounded by '-----BEGIN PRIVATE KEY-----' and\n '-----END PRIVATE KEY-----' markers?")) + exit() + try: + ctx.use_certificate_file(ssl_pem) + except SSL.Error: + print(_("Unable to find/use certificate from file: %(pemfile)s") % {"pemfile": ssl_pem}) + print(_("Does it have a certificate surrounded by '-----BEGIN CERTIFICATE-----' and\n '-----END CERTIFICATE-----' markers?")) + exit() else: ctx = auto_ssl() self.ssl_context = ctx @@ -677,8 +687,13 @@ (configuration.BooleanOption, "ssl", "no", "Enable SSL support (requires pyopenssl)"), (configuration.NullableFilePathOption, "pem", "", - "PEM file used for SSL. A temporary self-signed certificate\n" - "will be used if left blank."), + "PEM file used for SSL. The PEM file must include\n" + "both the private key and certificate with appropriate\n" + 'headers (i.e. "-----BEGIN PRIVATE KEY-----",\n' + '"-----END PRIVATE KEY-----" and ' + '"-----BEGIN CERTIFICATE-----",\n' + '"-----END CERTIFICATE-----". A temporary self-signed\n' + "certificate will be used if left blank."), (configuration.WordListOption, "include_headers", "", "Comma separated list of extra headers that should\n" "be copied into the CGI environment.\n"
--- a/share/man/man1/roundup-server.1 Thu Jun 06 20:23:31 2024 -0400 +++ b/share/man/man1/roundup-server.1 Sat Jun 08 04:52:59 2024 -0400 @@ -59,9 +59,21 @@ \fB-e\fP \fIfile\fP Sets a filename containing the PEM file to use for SSL. The PEM file must include both the private key and certificate with appropriate -headers (e.g. "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE -KEY-----" and "-----BEGIN CERTIFICATE-----", "-----END -CERTIFICATE-----". If no file is specified, a temporary self-signed +header/trailer markers: + +.EX +-----BEGIN PRIVATE KEY----- +-----END PRIVATE KEY----- +.EE + +and + +.EX +-----BEGIN CERTIFICATE----- +-----END CERTIFICATE----- +.EE + +If no file is specified, a temporary self-signed certificate will be used. .TP \fB-N\fP