Using Cowboy as a HTTPS server with NMOS testing utility

[akanashin]

Hey! I'm working on implementation of NMOS node in Erlang using Cowboy/Ranch as a HTTP/HTTPS server for API.
Using nmos-testing utility (https://github.com/AMWA-TV/nmos-testing) from AMWA to verify my implementation.
Now, I've started working on Authorization and got into some issues.
Namely, this test utility is requesting some 'special' configuration of HTTPS server. This is a quote from their documentation: "
In order for requests made to the device under test to be trusted by the test suite, the following private keys and
certificates must be loaded into the device. This will provide the device with the hostname 'api.testsuite.nmos.tv',
and the hostname 'nmos-api.local' for mDNS.

...
Note that both an RSA and ECDSA certificate are provided in order to meet the requirements of BCP-003-01. Please consult
your TLS library or application for the configuration required in order to load two certificates at once.

... And there are two files for keys (for RSA and ECDSA), two files for certificates. And:

If your device under test can use certificate chain files, please use:
....

Alternatively, if your web server requires the server certificate and the chain to the CA to be separate, please use each of the server certificates:
...
with the chain file:
...
"

Now I'm not very experienced with certificates and keys, so I got couple questions:

1. Does Cowboy(Ranch) support two certificates at once? Looking at the way of supplying certificate to the system it doesn't (I have one parameter with one filepath for certificate and key).
2. Does Cowboy/Ranch support certificate chain files or it doesn't?

Just in case if there are any successful cases of using Cowboy/Ranch with nmos-testing utility I'd love to see configuration used.
Thanks

[essen]

What you are looking for is likely the sni_hosts option which allows configuring multiple hosts each with their separate certificates and options. The hostname's certificate should be in certfile and everything else in cacertfile. What they mean by the chain file is cacertfile.

Alternatively you also have certs_keys which allows configuring multiple without using SNI. It's possible that this is the one you want, I'm not sure based on your post.

Refer to https://www.erlang.org/docs/28/apps/ssl/ssl.html for full documentation of ssl options, there are many more than what Ranch advertises, and they will all work with Ranch.

[akanashin]

Thanks! I'm not really sure what's the real issue here =)
I just have the situation when this program (nmos-testing-tool) rejects my (server side) certificate. It is not really clear what the reason for that (the program runs inside docker container) so I'm trying to dig into documentation.
The important point is that my self-created certificate is completely accepted by Chrome browser and by curl utility running in the very same docker (I have performed necessary configuration inside the image). But not by the program.

I will see what to make out of certs_keys parameter, thanks