Unable to read the default .pem files generated by a Cro app.

[arunvickram]

Hi,

I generated a Cro repo using the following command:

$ cro stub http checkout checkout

Stubbing a HTTP Service 'checkout' in 'checkout'...

First, please provide a little more information.

Support HTTP/1.1 (yes/no) [yes]: yes
Support HTTP/2.0 (yes/no) [no]: yes
Support Web Sockets (yes/no) [no]: yes

After that, I went in to simply run the app by doing:

cro run

and then it gave me this error:

🔌 Endpoint HTTPS will be at https://localhost:20000/
⚠ checkout Failed to import resources/fake-tls/server-crt.pem as PEM/ASN1/PKCS12
⚠ checkout   in block  at ~/.asdf/installs/raku/2024.01/share/perl6/site/sources/8143677EA272A04F4BA3843A02BBD016F5269804 (IO::Socket::Async::SSL) line 521
⚠ checkout   in block  at ~/.asdf/installs/raku/2024.01/share/perl6/site/sources/8143677EA272A04F4BA3843A02BBD016F5269804 (IO::Socket::Async::SSL) line 500
⚠ checkout   in method start at ~/.asdf/installs/raku/2024.01/share/perl6/site/sources/D44076D0A385A3A9EB7D72A86CA729FD99EE59B7 (Cro::Service) line 12
⚠ checkout   in block <unit> at service.raku line 22
⚠ checkout
📓 checkout Listening at https://localhost:20000

I managed to trace the error to this section of code:

• Lines 518-521 in p6-io-socket-async-ssl

I'm gonna be honest this is probably way above my pay grade to fix, so if someone could look into this, that would be great!
Thanks!

[librasteve]

I have reproduced this error on my (arm64) mac

Sonoma 14.2.1 (23C71)

Welcome to Rakudo™ v2024.01.
Implementing the Raku® Programming Language v6.d.
Built on MoarVM version 2024.01.

OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)

it also fails on vanilla ubuntu:

Description: Ubuntu 20.04.4 LTS

Welcome to Rakudo™ v2022.02.
Implementing the Raku® Programming Language v6.d.
Built on MoarVM version 2022.02.

OpenSSL 1.1.1f 31 Mar 2020

[bn-ssotka]

Any chance you can find the certfile and attach it? I assume the pem file is in base64.

[arunvickram]

Here are the files that it generated, I just added a .txt extension so I could upload it onto Github

ca-crt.pem.txt
server-crt.pem.txt
server-key.pem.txt

[bn-ssotka]

Found the problem. If you look at https://github.com/croservices/cro/tree/master/resources/fake-tls you will see the fake keys that are used when you create a stub server with ssl. They are hard coded and the same ones are used each time.

I replaced them in my stub with a self-signed cert and it worked fine.

openssl req -x509 -out localhost.crt -keyout localhost.key \
--newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

that will create a localhost.key and localhost.crt file. move them into the resources directory and rename them to server-key.pem and server-crt.pem respectively. Then start your server.

[arunvickram]

Do you think we could add something to the documentation on how to generate a self-signed cert? I think it would help a lot.

[librasteve]

@arunvickram - good idea ... did you do this already, if so I suggest you add as a PR to the README

[arunvickram]

Update: after following @bn-ssotka's instructions I'm getting this error in the terminal:

[bn-ssotka]

@arunvickram Interesting. Let me check if I made a mistake in the cut and paste I did for the command.

[bn-ssotka]

`❯ openssl req -x509 -out localhost.crt -keyout localhost.key
--newkey rsa:2048 -nodes -sha256
-subj '/CN=localhost' -extensions EXT -config <(
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
...+..+............+.+....................+.+...+.....+.+..+...+.+......+.........+........+...+.......+..+......+....+...+........+...+.......+.........+.........+.....+..........+.........+..+.+........+.+........+.+.....+.......+..+......+.+...+..+.+..............+.+..+++++++++++++++++++++++++++++++++++++++..+....+...........+...+.........+......+......+...+.+..+....+..........................+...+....+...............+...........+.+......+.....+.........+.+...+......+.....+...+.+.....+.+...+..+.+........+++++++++++++++++++++++++++++++++++++++.+.....+.+......+............+...+.....+....+...+........+...+......+..................++++++
........+...+......+++++++++++++++++++++++++++++++++++++++.......+............+.+.....+.......+..+.+.....+.+++++++++++++++++++++++++++++++++++++++..........+.........+..+.+............+.....+.+..+...+....+............+.....+...............+.+...+......+......+..++++++

❯ ls -lart
total 72
drwxr-xr-x 7 ssotka staff 224 Feb 12 16:21 ..
drwxr-xr-x 3 ssotka staff 96 Feb 12 16:21 resources
-rw-r--r-- 1 ssotka staff 931 Feb 12 16:21 service.raku
-rw-r--r--@ 1 ssotka staff 514 Feb 12 16:21 META6.json
-rw-r--r-- 1 ssotka staff 473 Feb 12 16:21 README.md
-rw-r--r-- 1 ssotka staff 250 Feb 12 16:21 .cro.yml
-rw-r--r-- 1 ssotka staff 52 Feb 12 16:21 .gitignore
-rw-r--r-- 1 ssotka staff 10 Feb 12 16:21 .dockerignore
-rw-r--r-- 1 ssotka staff 235 Feb 12 16:21 Dockerfile
drwxr-xr-x 4 ssotka staff 128 Feb 12 16:22 lib
drwxr-xr-x 13 ssotka staff 416 Feb 13 08:03 .
-rw------- 1 ssotka staff 1704 Feb 16 10:23 localhost.key
-rw-r--r-- 1 ssotka staff 1123 Feb 16 10:23 localhost.crt
❯ mv localhost.key resources/fake-tls/server-key.pem
❯ mv localhost.crt resources/fake-tls/server-crt.pem
❯ cro run
▶ Starting checkout (checkout)
🔌 Endpoint HTTPS will be at https://localhost:20000/
📓 checkout Listening at https://localhost:20000`

Nope. I wonder if there may be differences in libssl.

[bn-ssotka]

@arunvickram I reproduced your error when I call https://localhost:20000/ using Firefox. But, it works in Chrome and Safari. That's very odd.

[arunvickram]

Yep @bn-ssotka, I was using Firefox, that's what produced the bug in the first place. It's my default browser, so it's my go to when testing web apps.

[arunvickram]

@bn-ssotka Any updates on this?

[bn-ssotka]

Sorry, I have no idea what the browsers are doing.