issue2551219 - use of PEM file with roundup-server

rouilj · rouilj · commit 1969ca3d5913 · 2024-06-08T04:52:59.000-04:00
Document requirements of PEM file when using roundup-server in SSL/TLS
mode in the config.ini generated by roundup-server --save-config.

Trap errors produced by missing cert or key when reading a pem file
and try to produce a more useful error.

Man page already had correct documentation. However because man pages
are justified, the marker lines get additional internal spacing. Use
example macros to prevent this spacing in case somebody cuts/pastes
the marker lines.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -170,6 +170,10 @@ Fixed:
   requests where the file is not modified. (John Rouillard)
 - Update JWT example in rest.py to use replacement for
   datetime.datetime.utcnow(). (John Rouillard)
+- issue2551219 - document requirements of PEM file when using
+  roundup-server in SSL/TLS mode. Report better error messages
+  when PEM file is missing certificate or private key. (John
+  Rouillard)
 
 Features:
 
diff --git a/roundup/scripts/roundup_server.py b/roundup/scripts/roundup_server.py
@@ -137,8 +137,18 @@ def __init__(self, server_address, HandlerClass, ssl_pem=None):
         self.socket = socket.socket(self.address_family, self.socket_type)
         if ssl_pem:
             ctx = SSL.Context(SSL.TLSv1_2_METHOD)
-            ctx.use_privatekey_file(ssl_pem)
-            ctx.use_certificate_file(ssl_pem)
+            try:
+                ctx.use_privatekey_file(ssl_pem)
+            except SSL.Error:
+                print(_("Unable to find/use key from file: %(pemfile)s") % {"pemfile": ssl_pem})
+                print(_("Does it have a private key surrounded by '-----BEGIN PRIVATE KEY-----' and\n  '-----END PRIVATE KEY-----' markers?"))
+                exit()
+            try:
+                ctx.use_certificate_file(ssl_pem)
+            except SSL.Error:
+                print(_("Unable to find/use certificate from file: %(pemfile)s") % {"pemfile": ssl_pem})
+                print(_("Does it have a certificate surrounded by '-----BEGIN CERTIFICATE-----' and\n  '-----END CERTIFICATE-----' markers?"))
+                exit()
         else:
             ctx = auto_ssl()
         self.ssl_context = ctx
@@ -677,8 +687,13 @@ class ServerConfig(configuration.Config):
             (configuration.BooleanOption, "ssl", "no",
                 "Enable SSL support (requires pyopenssl)"),
             (configuration.NullableFilePathOption, "pem", "",
-                "PEM file used for SSL. A temporary self-signed certificate\n"
-                "will be used if left blank."),
+                "PEM file used for SSL. The PEM file must include\n"
+                "both the private key and certificate with appropriate\n"
+                'headers (i.e. "-----BEGIN PRIVATE KEY-----",\n'
+                '"-----END PRIVATE KEY-----" and '
+                '"-----BEGIN CERTIFICATE-----",\n'
+                '"-----END CERTIFICATE-----". A temporary self-signed\n'
+                "certificate will be used if left blank."),
             (configuration.WordListOption, "include_headers", "",
                 "Comma separated list of extra headers that should\n"
                 "be copied into the CGI environment.\n"
diff --git a/share/man/man1/roundup-server.1 b/share/man/man1/roundup-server.1
@@ -59,9 +59,21 @@ roundup-server.
 \fB-e\fP \fIfile\fP
 Sets a filename containing the PEM file to use for SSL. The PEM file
 must include both the private key and certificate with appropriate
-headers (e.g. "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE
-KEY-----" and "-----BEGIN CERTIFICATE-----", "-----END
-CERTIFICATE-----". If no file is specified, a temporary self-signed
+header/trailer markers:
+
+.EX
+-----BEGIN PRIVATE KEY-----
+-----END PRIVATE KEY-----
+.EE
+
+and
+
+.EX
+-----BEGIN CERTIFICATE-----
+-----END CERTIFICATE-----
+.EE
+
+If no file is specified, a temporary self-signed
 certificate will be used.
 .TP
 \fB-N\fP
