i run Fedora 42.
i've an old hp 4050n laser jet on the lan. currently in use with Fedora-pkg'd cups 2.4x.
works great. but, doesn't support IPP / PrintAnywhere.
i'm preparing for the next-gen, using pappl-framework printer-apps for these legacy printers.
i've built/installed ps-printer-app from upstream src/master,
git reflog
1 e7bd382 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/OpenPrinti 1 ng/ps-printer-app.git
rpm -qa | grep -E "cups|pappl|print|hplip|gutenprint|ghostscript"
cups-2.4.12-3.fc42.x86_64
cups-browsed-2.1.1-4.fc42.x86_64
cups-client-2.4.12-3.fc42.x86_64
cups-devel-2.4.12-3.fc42.x86_64
cups-filesystem-2.4.12-3.fc42.noarch
cups-filters-2.0.1-3.fc42.x86_64
cups-filters-driverless-2.0.1-3.fc42.x86_64
cups-ipptool-2.4.12-3.fc42.x86_64
cups-libs-2.4.12-3.fc42.x86_64
ghostscript-10.05.0-1.fc42.x86_64
ghostscript-tools-fonts-10.05.0-1.fc42.noarch
ghostscript-tools-printing-10.05.0-1.fc42.noarch
gutenprint-5.3.5-5.fc42.x86_64
gutenprint-cups-5.3.5-5.fc42.x86_64
gutenprint-libs-5.3.5-5.fc42.x86_64
hplip-3.25.2-4.fc42.x86_64
hplip-common-3.25.2-4.fc42.x86_64
hplip-gui-3.25.2-4.fc42.x86_64
hplip-libs-3.25.2-4.fc42.x86_64
libchromaprint-1.5.1-24.fc42.x86_64
libcupsfilters-2.1.1-1.fc42.x86_64
libcupsfilters-devel-2.1.1-1.fc42.x86_64
pappl-1.4.9-1.fc42.x86_64
pappl-devel-1.4.9-1.fc42.x86_64
pappl-retrofit-1.0b2-7.fc42.x86_64
pappl-retrofit-devel-1.0b2-7.fc42.x86_64
ldd `which ps-printer-app` | grep -iE "ssl|crypt|tls"
libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007f4e5b800000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f4e5b67e000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f4e5a800000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f4e59104000)
libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f4e58f11000)
from the WebUI, i see that TLS support is available; certs can be created.
i'm trying to config for use with my own SSL certs.
i defined host
grep ps-printer-app /etc/hosts
127.0.0.1 ps-printer-app.loc
getent hosts ps-printer-app.loc
127.0.0.1 ps-printer-app.loc
launch via systemd unit,
cat /etc/systemd/system/ps-printer-app.service
...
User=lp
Environment=PAPPL_LOGLEVEL=debug HOME=/var/lib/ps-printer-app
ExecStart=/usr/bin/ps-printer-app \
-o bind-address=127.0.0.1 \
-o server-port=8099 \
-o log-level=debug \
-o spool-directory=/var/lib/ps-printer-app/spool \
-o tls-required=true \
-o tls-cert-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.crt.pem \
-o tls-key-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.key.pem \
-o hostname=ps-printer-app.loc \
server
...
systemctl start ps-printer-app.service
ps -ef | grep ps-printer-app
lp 41431 1 0 21:41 ? 00:00:01 /usr/bin/ps-printer-app -o bind-address=127.0.0.1 -o server-port=8099 -o log-level=debug -o spool-directory=/var/lib/ps-printer-app/spool -o tls-required=true -o tls-cert-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.crt.pem -o tls-key-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.key.pem -o hostname=ps-printer-app.loc server
root 41709 27332 0 21:45 pts/2 00:00:00 grep ps-printer-app
where, my own EC cert,
openssl x509 -noout -text -in /var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5024 (0x13a0)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=NY, O=example.com, OU=example.com_CA, CN=example.com_CA_INTERMEDIATE, emailAddress=ssladmin@example.com
Validity
Not Before: May 23 02:04:48 2025 GMT
Not After : May 21 02:04:48 2035 GMT
Subject: C=US, ST=NY, L=New_York, O=example.com, OU=example.com_CA, CN=ps-printer-app.loc, emailAddress=ssladmin@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:...:db
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
example.com SERVER Certificate
X509v3 Subject Key Identifier:
D7:...:0B
X509v3 Authority Key Identifier:
keyid:D0:...:CD
DirName:/O=example.com/OU=example.com_CA/L=New_York/ST=NY/C=US/emailAddress=ssladmin@example.com/CN=example.com_CA_ROOT
serial:10:00
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:ps-printer-app.loc, DNS:www.ps-printer-app.loc
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:...:32
openssl x509 -in ps-printer-app.loc.server.EC.crt.pem -noout -pubkey > cert.pub
openssl ec -in ps-printer-app.loc.server.EC.key.pem -pubout > key.pub
diff cert.pub key.pub
(empty -> MATCHED)
notice that a local .cups/ dir is created, but not (yet) populated.
cd /var/lib/ps-printer-app/
systemctl stop ps-printer-app.service
rm -rf .cups
systemctl restart ps-printer-app.service
tree .cups/
.cups/
└── ssl
2 directories, 0 files
nav to
https://ps-printer-app.loc:8099
as expected (self signed)
Warning: Potential Security Risk Ahead
ps-printer-app.loc:8099 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
[Accept the Risk and Continue]
@ browser
now, note the auto-creation of the crt/key pair,
pwd
/var/lib/ps-printer-app
tree .cups/
.cups/
└── ssl
├── myDesk.local.crt
└── myDesk.local.key
2 directories, 2 files
where
nav to
similarly
Warning: Potential Security Risk Ahead
127.0.0.1:8099 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
[Accept the Risk and Continue]
now @ "Configuration" screen in UI.
checking cert info in browser,
Certificate
myDesk.local
...
where
openssl x509 -noout -text -in /var/lib/ps-printer-app/.cups/ssl/myDesk.local.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1747966521 (0x682fda39)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, CN=myDesk.local, O=myDesk.local, OU=Unknown, ST=Unknown, L=Unknown
Validity
Not Before: May 23 02:15:21 2025 GMT
Not After : May 21 02:15:21 2035 GMT
Subject: C=US, CN=myDesk.local, O=myDesk.local, OU=Unknown, ST=Unknown, L=Unknown
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:...:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:myDesk.local, DNS:localhost
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
69:...:4C
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
66:...:fd
it's clearly happy enough with its own-generated TLS certs.
how do i get this to behave using my specific certs/keys & locations?
do i need config change? runtime, &/or @ build?
i run Fedora 42.
i've an old hp 4050n laser jet on the lan. currently in use with Fedora-pkg'd cups 2.4x.
works great. but, doesn't support IPP / PrintAnywhere.
i'm preparing for the next-gen, using pappl-framework printer-apps for these legacy printers.
i've built/installed ps-printer-app from upstream src/master,
from the WebUI, i see that TLS support is available; certs can be created.
i'm trying to config for use with my own SSL certs.
i defined host
launch via systemd unit,
where, my own EC cert,
notice that a local
.cups/dir is created, but not (yet) populated.nav to
as expected (self signed)
@ browser
now, note the auto-creation of the crt/key pair,
where
nav to
similarly
now @ "Configuration" screen in UI.
checking cert info in browser,
where
it's clearly happy enough with its own-generated TLS certs.
how do i get this to behave using my specific certs/keys & locations?
do i need config change? runtime, &/or @ build?