v5 How to Configure Certificate for Secure Listeners?

I am following the steps outlined at https://doc.photonengine.com/en-us/server/v5/operations/server-config#certificate_setup_for_secure_listeners

However, whenever I try to load the cert, I get the following error:
4480: 17:22:49.487 - CService::OnException() - Exception: CCreateSimpleContext::CreateSSLContext()
 - Failed to load private key file: "C:\...\Photon-OnPremises-Server-Plugin-SDK_v5-0-1-21359-BETA\deploy\bin_Win64\certs\server.pem"
 - error:0909006C:PEM routines:get_name:no start line
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

But then, when I point the file to the key instead, I get:
4476: 17:23:59.208 - CService::OnException() - Exception: CCreateSimpleContext::CreateSSLContext() 
- Failed to load certificate file: "C:\...\Photon-OnPremises-Server-Plugin-SDK_v5-0-1-21359-BETA\deploy\bin_Win64\certs\server.pem"
- error:0909006C:PEM routines:get_name:no start line
error:140DC009:SSL routines:use_certificate_chain_file:PEM lib

Lol

Normally I would need to load both the private key and the cert right? What's going on?

Thanks for your help

Comments

  • hi, @OldPilgrim
    our documentation missing 'key' setting documentation
    so, in your case you have to specify 'CertificatePath' as folder to files location, then `Certificate` should contain name for file with certificate and `Key` should contain file with key

    Also you may put everything in one file, call it 'server.pem' and set only CertificatePath

    best,
    ilya
  • OldPilgrim
    edited August 2020
    @chvetsov ok, thanks!!

    Edit: specifying the Certificate and Key attributes doesn't work (it didn't work before either), it's still trying to load server.pem
    4692: 09:12:04.278 - CService::OnException() - Exception: CCreateSimpleContext::CreateSSLContext() 
    - Failed to load certificate file: "C:\Users\Me\myCerts\server.pem" - error:02001002:system library:fopen:No such file or directory
    error:20074002:BIO routines:file_ctrl:system lib
    error:140DC002:SSL routines:use_certificate_chain_file:system lib
    

    However, i concatenated the key and cert into one pem file and it worked.
  • @OldPilgrim
    could you provide config snippet to see how did you configure it. May be we have a bug and will be able to reproduce it

    best,
    ilya
  • @chvetsov
          <WebSocketListener
            IPAddress="0.0.0.0"
            Port="9090"
            DisableNagle="true"
            InactivityTimeout="10000"
            OverrideApplication="Master"
    	Secure="true"
    	CertificatePath="C:\Users\Me\myCerts"
    	Certificate="server-crt.pem"
    	Key="server-key.pem"
    	>
          </WebSocketListener>
    
  • JohnTube
    JohnTube ✭✭✭✭✭
    hey @OldPilgrim,

    In v5 RC1 we have changed how listeners for WSS are configured.
    But it means you could also try if the new way of setting up custom certificates was the same in v5 BETA as well and we just did not document this properly.
    BTW documentation for v5 RC1 is also still WiP.
    <WebSocketListener
       Secure="true">
    <ServerCertificate Path="C:\Users\Me\myCerts"
    	Certificate="server-crt.pem"
    	Key="server-key.pem">
        </ServerCertificate>
    </WebSocketListener>