(sirv-cli) HTTP/2 instructions

[longrunningprocess]

Following the README instructions for HTTP/2 (and ssl) I still receive an error on the site:

That makes sense to me because I never did anything like a mkcert -install to get it into my local, system authority.

Is there a step missing here?

[longrunningprocess]

fwiw, this worked for me on macOS Catalina:

mkcert -install

mkcert -key-file key.pem -cert-file cert.pem localhost 127.0.0.1

https://github.com/FiloSottile/mkcert

then of course updating the start-up command to sirv dist --dev --host 0.0.0.0 --port 8443 --single --http2 --key key.pem --cert cert.pem

[lukeed]

That shouldn't be an error. It may appear as a broken lock for you, but it's still valid and will serve your HTTPS traffic.

Honestly, it's going to vary from system to system. For both of my machines, the README instructions produce a verified SSL cert pair (no warning, no broken lock), but that's likely to do with settings inherited elsewhere.

Closing this for now, but I'd accept a PR to the README with an additional, alternative openssl command. I've not used mkcert before.

Thanks!

[longrunningprocess]

just to make sure I'm explaining the issue clearly, this is about the "third party", the Certificate Authority as I understand it. The cert that openssl or mkcert generate are good pairs and not the issue here...it's about the browser not allowing traffic to the server because there's no CA...with the mkcert -install it actually loads the cert into the local or system CA. I believe you must have both parts to make it work, the CA and the cert.

Maybe it's Chrome that's enforcing the third party requirement or maybe it's a new security measure for all browsers and if you were to set your environment up again using those instructions in the README, I believe you'd see they're not sufficient anymore.

At any rate, I can make a quick PR to the README with a reference to my instructions above.

[cswkim]

On macOS 10.15.5 and Chrome 83.0.4103.106, I've used mkcert to install a local CA and create a key and cert file. I have a package.json script command:

"start:dev": "sirv public --http2 --host 0.0.0.0 --key relative/path/to/key/file.pem --cert relative/path/to/cert/file.pem"

I'm getting ERR_SSL_PROTOCOL_ERROR, This site can’t provide a secure connection messages. Where do you place the key and cert files for sirv? I put mine in a folder that is the same directory as the package.json file. How do you define the paths?

[longrunningprocess]

if I'm understanding you right, I put the in the same place.

package.json

    "serve:https"  : "sirv dist --dev --host 0.0.0.0 --port 8443 --single --http2 --key key.pem --cert cert.pem"

I see a couple of differences in our sirv options, maybe that's it?

Also, I access my localhost with https://localhost:8443

[lukeed]

Yes if they're siblings to your package.json file, then it should be

sirv public --http2 --host 0.0.0.0 --key key.pem --cert cert.pem

The only flags that matter here are --http2, --key, and --cert

[cswkim]

Something must be wrong with the key and cert files generated by mkcert, I cannot get around the error. Thanks for the help.

[longrunningprocess]

bummer, sorry man...I'm on the same OS and Chrome version as you and I just did this and it worked fine...

you're certain to gave the mkcert -key-file key.pem -cert-file cert.pem localhost 127.0.0.1 the same host that you're accessing it through locally?

[cswkim]

Ah oops. I started a svelte project using this repo and it had a pretty old version of sirv-cli (^0.4.4). I just upgraded to the latest (1.0.1) and ssl works now.

[longrunningprocess]

Phew! I'm glad you're up and running again!

[lukeed]

Nice :) Yeah there are PRs open on Sapper and the templates

[jmakeig]

See also sveltejs/template#128.