I have a domain example.com for which my registrar has issued an SSL certificate *.example.com.
I have added the lines
SSLEngine on
SSLCertificateFile /etc/apache2/certs/ssl.cer
SSLCertificateKeyFile /etc/apache2/certs/ssl.key
SSLCertificateChainFile /etc/apache2/certs/ssl_intermediate.cer
to my Apache config and the webpage can be accessed via https at https://example.com.
Now, the webpage also listens for a websockets connection at wss://example.com:8888/wss/, which is being forwarded to a Python websockets server via
ProxyPass "/wss/" "http://<internal_ip>:8888/" upgrade=websocket
No issues with this as well. What I'm confused about is the relationship between the SSL certificate issued by my registrar and the ability to protect the websockets connection with SSL. I use the websockets Python library for both client and server, which supports encrypted connections with (excerpt from here)
...
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
localhost_pem = pathlib.Path(__file__).with_name("localhost.pem")
ssl_context.load_cert_chain(localhost_pem)
async def main():
async with websockets.serve(hello, "<internal_ip>", 8888, ssl=ssl_context):
await asyncio.Future()
...
My main questions are:
Everything works as expected if I don't supply an SSL context. But the connection is still a wss-connection, so I'm confused why this even works without SSL. When I provide the test-certificate localhost.pem from here the connection fails with
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)
so I'm not sure if I can use any self-signed certificate for the websockets connection or if it must be synced with the domain certificate.
Is this pem-file supposed to be the same as the certificate issued by my registrar or are they completely independent?
Since web server and websocket are on the same domain name (even if different port) one can use the same certificate. But one can also use different certificates - it is possible to have multiple certificates covering the same domain at the same time.
Are client and server supposed to use the same pem-file?
Both with web server and with websocket there is usually only authentication of the server. Here the client will only verify the servers certificate and for this it needs to trust it. This is commonly done by trusting the certificate authority (CA) which issued the servers certificate - not the servers certificate directly.
Client authentication with certificates is called mutual authentication and not that common. But in this case a client should not use the server certificate but its own - which authenticates the client and not the server.
Is it necessary to secure the websockets connection if the domain already uses SSL?
Websockets connection should get the same security as the domain itself. This does not mean that the websocket server itself needs to be TLS aware though. A common setup is to simply use the existing webserver as a reverse proxy for the websocket server - in which case the webserver terminates the TLS and provides the server certificate to the client. This way one can also use the default port for HTTPS and just use a special path for the websocket. It looks like that this is what you intended to do (special path /ws) in your config.