unable to specify/use own-TLS cert with ps-printer-app; my config's ignored, and app auto-generates its own

[pgnd]

i run Fedora 42.

i've an old hp 4050n laser jet on the lan. currently in use with Fedora-pkg'd cups 2.4x.

works great. but, doesn't support IPP / PrintAnywhere.

i'm preparing for the next-gen, using pappl-framework printer-apps for these legacy printers.

i've built/installed ps-printer-app from upstream src/master,

git reflog
      1 e7bd382 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/OpenPrinti      1 ng/ps-printer-app.git

rpm -qa | grep -E "cups|pappl|print|hplip|gutenprint|ghostscript"
	cups-2.4.12-3.fc42.x86_64
	cups-browsed-2.1.1-4.fc42.x86_64
	cups-client-2.4.12-3.fc42.x86_64
	cups-devel-2.4.12-3.fc42.x86_64
	cups-filesystem-2.4.12-3.fc42.noarch
	cups-filters-2.0.1-3.fc42.x86_64
	cups-filters-driverless-2.0.1-3.fc42.x86_64
	cups-ipptool-2.4.12-3.fc42.x86_64
	cups-libs-2.4.12-3.fc42.x86_64
	ghostscript-10.05.0-1.fc42.x86_64
	ghostscript-tools-fonts-10.05.0-1.fc42.noarch
	ghostscript-tools-printing-10.05.0-1.fc42.noarch
	gutenprint-5.3.5-5.fc42.x86_64
	gutenprint-cups-5.3.5-5.fc42.x86_64
	gutenprint-libs-5.3.5-5.fc42.x86_64
	hplip-3.25.2-4.fc42.x86_64
	hplip-common-3.25.2-4.fc42.x86_64
	hplip-gui-3.25.2-4.fc42.x86_64
	hplip-libs-3.25.2-4.fc42.x86_64
	libchromaprint-1.5.1-24.fc42.x86_64
	libcupsfilters-2.1.1-1.fc42.x86_64
	libcupsfilters-devel-2.1.1-1.fc42.x86_64
	pappl-1.4.9-1.fc42.x86_64
	pappl-devel-1.4.9-1.fc42.x86_64
	pappl-retrofit-1.0b2-7.fc42.x86_64
	pappl-retrofit-devel-1.0b2-7.fc42.x86_64

ldd `which ps-printer-app` | grep -iE "ssl|crypt|tls"
        libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007f4e5b800000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f4e5b67e000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f4e5a800000)
        libssl.so.3 => /lib64/libssl.so.3 (0x00007f4e59104000)
        libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f4e58f11000)

from the WebUI, i see that TLS support is available; certs can be created.

i'm trying to config for use with my own SSL certs.

i defined host

grep ps-printer-app /etc/hosts
	127.0.0.1 ps-printer-app.loc
getent hosts ps-printer-app.loc
	127.0.0.1       ps-printer-app.loc

launch via systemd unit,

cat /etc/systemd/system/ps-printer-app.service
	...
	User=lp
	Environment=PAPPL_LOGLEVEL=debug HOME=/var/lib/ps-printer-app
	ExecStart=/usr/bin/ps-printer-app \
	  -o bind-address=127.0.0.1 \
	  -o server-port=8099 \
	  -o log-level=debug \
	  -o spool-directory=/var/lib/ps-printer-app/spool \
	  -o tls-required=true \
	   -o tls-cert-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.crt.pem \
	   -o tls-key-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.key.pem \
	   -o hostname=ps-printer-app.loc \
	 server
	...

	systemctl start ps-printer-app.service
	ps -ef | grep ps-printer-app
		lp       41431     1  0 21:41 ?        00:00:01 /usr/bin/ps-printer-app -o bind-address=127.0.0.1 -o server-port=8099 -o log-level=debug -o spool-directory=/var/lib/ps-printer-app/spool -o tls-required=true -o tls-cert-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.crt.pem -o tls-key-file=/var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.key.pem -o hostname=ps-printer-app.loc server
		root     41709 27332  0 21:45 pts/2    00:00:00 grep ps-printer-app

where, my own EC cert,

openssl x509 -noout -text -in /var/lib/ps-printer-app/tls/ps-printer-app.loc.server.EC.crt.pem
	Certificate:
	    Data:
	        Version: 3 (0x2)
	        Serial Number: 5024 (0x13a0)
	        Signature Algorithm: ecdsa-with-SHA256
	        Issuer: C=US, ST=NY, O=example.com, OU=example.com_CA, CN=example.com_CA_INTERMEDIATE, emailAddress=ssladmin@example.com
	        Validity
	            Not Before: May 23 02:04:48 2025 GMT
	            Not After : May 21 02:04:48 2035 GMT
	        Subject: C=US, ST=NY, L=New_York, O=example.com, OU=example.com_CA, CN=ps-printer-app.loc, emailAddress=ssladmin@example.com
	        Subject Public Key Info:
	            Public Key Algorithm: id-ecPublicKey
	                Public-Key: (384 bit)
	                pub:
	                    04:...:db
	                ASN1 OID: secp384r1
	                NIST CURVE: P-384
	        X509v3 extensions:
	            X509v3 Basic Constraints:
	                CA:FALSE
	            Netscape Cert Type:
	                SSL Server
	            Netscape Comment:
	                example.com SERVER Certificate
	            X509v3 Subject Key Identifier:
	                D7:...:0B
	            X509v3 Authority Key Identifier:
	                keyid:D0:...:CD
	                DirName:/O=example.com/OU=example.com_CA/L=New_York/ST=NY/C=US/emailAddress=ssladmin@example.com/CN=example.com_CA_ROOT
	                serial:10:00
	            X509v3 Key Usage: critical
	                Digital Signature
	            X509v3 Extended Key Usage:
	                TLS Web Server Authentication
	            X509v3 Subject Alternative Name:
	                DNS:ps-printer-app.loc, DNS:www.ps-printer-app.loc
	    Signature Algorithm: ecdsa-with-SHA256
	    Signature Value:
	        30:...:32

	openssl x509 -in ps-printer-app.loc.server.EC.crt.pem -noout -pubkey > cert.pub
	openssl ec -in ps-printer-app.loc.server.EC.key.pem -pubout > key.pub
	diff cert.pub key.pub
		(empty -> MATCHED)

notice that a local .cups/ dir is created, but not (yet) populated.

cd /var/lib/ps-printer-app/
systemctl stop ps-printer-app.service
rm -rf .cups
systemctl restart ps-printer-app.service

tree .cups/
	.cups/
	└── ssl

2 directories, 0 files

nav to

https://ps-printer-app.loc:8099

as expected (self signed)

Warning: Potential Security Risk Ahead
 ps-printer-app.loc:8099 uses an invalid security certificate.
 The certificate is not trusted because it is self-signed.
 Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

	[Accept the Risk and Continue]

@ browser

400 - Bad Request

now, note the auto-creation of the crt/key pair,

pwd
	/var/lib/ps-printer-app
tree .cups/
	.cups/
	└── ssl
	    ├── myDesk.local.crt
	    └── myDesk.local.key

	2 directories, 2 files

where

hostname -s
	myDesk

nav to

https://127.0.0.1:8099/

similarly

Warning: Potential Security Risk Ahead
 127.0.0.1:8099 uses an invalid security certificate.
 The certificate is not trusted because it is self-signed.
 Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

	[Accept the Risk and Continue]

now @ "Configuration" screen in UI.

checking cert info in browser,

Certificate
	myDesk.local
	...

where

openssl x509 -noout -text -in /var/lib/ps-printer-app/.cups/ssl/myDesk.local.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1747966521 (0x682fda39)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, CN=myDesk.local, O=myDesk.local, OU=Unknown, ST=Unknown, L=Unknown
        Validity
            Not Before: May 23 02:15:21 2025 GMT
            Not After : May 21 02:15:21 2035 GMT
        Subject: C=US, CN=myDesk.local, O=myDesk.local, OU=Unknown, ST=Unknown, L=Unknown
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:...:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:myDesk.local, DNS:localhost
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                69:...:4C
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        66:...:fd

it's clearly happy enough with its own-generated TLS certs.

how do i get this to behave using my specific certs/keys & locations?
do i need config change? runtime, &/or @ build?