Errors while and after using http2

[mike-lischke]

Describe the bug Enabling http2 in the wmr config causes an error and then prevents normal http to work afterwards.

To Reproduce

In an attempt to make the dev server using https (for which I couldn't find any documentation) I experimented with the http2 setting (wmr.config.ts):

import { defineConfig } from 'wmr';

// Full list of options: https://wmr.dev/docs/configuration
export default defineConfig((options) => {
    return {
        alias: {
            react: 'preact/compat',
            'react-dom': 'preact/compat'
        },
        out: "build",
        host: "localhost",
        port: 3301,
        http2: true,
        sourcemap: true,
        debug: true,
    };
});

With that I ran my npm script dev:

"dev": "wmr start",

which asked me for a password (without explaining why's that needed) and then failed:

Password:
Unable to create HTTP2 server, falling back to HTTP1:
Error: Command failed: openssl req -new -x509 -config /Users/mike/Downloads/Test/wmr/node_modules/openssl-configurations/certificate-authority-self-signing.conf -key /var/folders/03/gj5f1gl92w11zc3l2c526dnm0000gn/T/tmp-9362CpF75xdGDPVv.tmp -out /Users/mike/Library/Application Support/devcert/certificate-authority/certificate.cert -days 825
error on line -1 of /Users/mike/Downloads/Test/wmr/node_modules/openssl-configurations/certificate-authority-self-signing.conf
8137630976:error:02FFF002:system library:func(4095):No such file or directory:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss_file.c:122:fopen('/Users/mike/Downloads/Test/wmr/node_modules/openssl-configurations/certificate-authority-self-signing.conf', 'rb')
8137630976:error:20FFF080:BIO routines:CRYPTO_internal:no such file:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss_file.c:125:
8137630976:error:0EFFF072:configuration file routines:CRYPTO_internal:no such file:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/conf/conf_def.c:200:

  👩‍🚀 WMR dev server running at:

  Local:   http://localhost:3301
  Network: (disabled, see --host)

This wouldn't be a big issue if this call had not changed something which now prevents to connect to the server from Chrome and Safari (only Brave works), which prints a ERR_CONNECTION_REFUSED error.

Expected behavior

There are actually 3 points here:

• Help users to set up https.
• Help users with errors when enabling http2.
• Make sure standard setup does not get broken in case of errors in the http2 setup.

Bug occurs with:

• [x] wmr or wmr start (development)
• [ ] wmr build (production)
• [ ] wmr serve

Desktop (please complete the following information):

• OS: macOS 13.0.1
• Browser: Chrome, Safari and Firefox fail, Brave works
• Node Version: 16.18.1
• WMR Version: 3.8.0

Additional context

I'm currently evaluating wmr to switch over our current React application, but am pretty much blocked by the leftovers from the http2 attempt. So I would much appreciate a way to clean up and get at least http access back.

Many thanks, Mike

[rschristian]

Possibly a duplicate of #252?

which asked me for a password (without explaining why's that needed)

WMR uses devcert to try to help set up HTTPS as it's usually a pain to do correctly & manually. This means creating a CA and registering it with your OS.

While I have my, opinions, about this process and using devcert, that's what it's doing. I'm guessing there's now a half-baked cert registered with your CA that's causing issues, but not positive. Asking on their tracker might get you better help.

I'm currently evaluating wmr to switch over our current React application

I should warn, WMR hasn't seen any (real) development in well over a year now. I (amongst others) do still use it, but it has a fair number of rough edges and can sometimes require some "maintainer's knowledge" to wield optimally. Just want to make that clear.

It can still be viable, but bug fixes are unlikely to happen.

[mike-lischke]

That's great information @rschristian! Should help us to evaluate the right tool to use.

I found that other issue when I searched for "http2" and also tried installing "devcert", but to no avail.

Now I wonder how to get back my system to the state before trying http2. I would like to avoid restoring the system from Time Machine.

[rschristian]

Apologies, I'm not a Mac user so can't give great instructions, but this seems to be what devcert is doing:

https://github.com/davewasmer/devcert/blob/0638b157c156c41577e0bc0527ec946b2aed33c7/src/platforms/darwin.ts#L22-L46

I'm wondering (hoping) it's as easy as just running a "remove-trusted-cert" or if it's a file you can directly edit if needs be to get that localhost cert gone that's causing you issues.

Re: Build tools, Vite, Astro, and Fresh are all excellent and support Preact (Fresh being a Preact-specific framework). I know you've tested out preact-cli earlier this week and directly because of that I'm pushing to remove it as a recommended tool. Apologies for our tooling being a bit of a mess at the moment, we're figuring some things out.

[mike-lischke]

Actually, I can remove certs using the keychain app. Just need to know which one, to avoid making the situation even worse :-)

Many thanks for trying to help here. Much appreciated! Yes, I tried preact-cli but found it too heavy. We want to have a really light-weight setup, doing all configuration ourselves etc. so I decided to start from scratch. But I am not yet set on a specific build tool. I'll try what you recommended!

[rschristian]

Linux brain, I immediately jump to editing some config file or running the command in reverse :-)

AFAIK we don't set any name or anything, just ask it to create a cert for the hostname. Any chance you just have the one for localhost?

https://github.com/preactjs/wmr/blob/729ed8a7fa8b418790fb4bf91c06d9eb36d31dce/packages/wmr/src/lib/http2.js#L6

[mike-lischke]

I cleaned up a bit but still get the error. However, I wonder how a certificate can influence the http connection? Isn't that only used for https?

Interesting also that (at least for the Firefox setup) brew is used, which means it should be installed (one cannot rely on that) and it's broken on my M1 CPU, so I cannot use it anyway.

[rschristian]

Honestly, I'm not sure. It doesn't seem that far-fetched to me that a browser would refuse a connection if it suspects some certificate tomfoolery going on (as unfortunately local HTTPS necessitates). I don't really know enough about that.

Interesting also that (at least for the Firefox setup) brew is used, which means it should be installed (one cannot rely on that) and it's broken on my M1 CPU, so I cannot use it anyway.

Indeed! Additionally, one of the reasons I'm not a fan of devcert is that it assumes Linux == Debian, which, er, is not an ideal assumption. I had to do a lot of patching originally to get it working on an Arch-based system: https://github.com/preactjs/wmr/issues/252#issuecomment-774637567

[developit]

@mike-lischke any chance you've tried restarting Chrome? This could be HSTS pinning - either restart Chrome, or go to chrome://net-internals/#hsts and enter localhost into the "Delete domain security policies" section at the bottom.

As for DevCert, last time I used it was before the M1's arrived. We may also be on an old version?

[mike-lischke]

@developit Unfortunately this didn't help.

In the meantime I jumped over to Vite and found this a great combination with Preact. So I think we can close this issue.

Thank you guys!