Katello (maybe Foreman too?) dev server browser error workaround

Many of us are seeing NS_ERROR_NET_INADEQUATE_SECURITY or similar browser error when going to https://$HOSTNAME:3808, which is where webpack assets are served. This is happening on new devel boxes.

I looked into this today and was able to come up with a hacky workaround:

My understanding is we are using HTTP/2 and the certs used don’t have the TLS requirements for HTTP/2 required by the browser. Switching to HTTP/1.1, which the above change does, “fixes” it.

It looks like webpack uses katello’s apache certs, assuming it’s still using $WEBPACK_OPTS from .env. However, even the self-signed ones that are generated by webpack are causing the same error (when you remove the cert arguments from webpack-dev-server but keep --https it will generate it’s own self-signed certificate).

I’m not sure what exactly changed - Did we start using HTTP/2 for webpack somehow? Something changed in the installer? Something expired in 2021?

This is where my investigation ends, but maybe someone has an idea of how to debug further so we can permanently fix this in the dev environment! :hammer_and_wrench:

6 Likes

webpack-dev-server does have an option to disable http2, but it’s not present in the version we use :cry:

Is it time to upgrade our webpack-dev-server and mainly… webpack? xD

2 Likes

Thanks for the workaround tho, it’s very annoying :slight_smile:

Ideally yes :smile:

If we can come up with a solution or better workaround for this version that would be ideal, I’m not sure how long that would take to upgrade webpack. :thinking:

I got a different error code and this solved it, adding it here in case someone will search for it:

ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

Thanks John for the fix!

3 Likes

@installer Were there any changes in the installer (e.g. apache) that would affect this area?

I doubt it. Webpack is serving traffic directly (at least if you’re talking about the dev box) so it’s solely responsible for HTTPS and its ciphers.

My bet would be that the webpack version we’re on is just too old and browsers have gotten stricter about security.

1 Like

Thanks, I was looking for what actually made a change, such as using http 2 instead of 1.1, but I couldn’t find any changes in the npm packages touching this area. Though, it’s entirely possible something changed there given the amount of packages.

I think the best path forward is to upgrade webpack and either disabling http2 or figuring out the http2 security requirements and making sure we are filling them.

1 Like

Sorry about the hack… but as this seem to be the only solution for now,
I created a fork of webpack-dev-server in GitHub - laviro/webpack-dev-server-without-h2: Serves a webpack app. Updates the browser on changes. Documentation https://webpack.js.org/configuration/dev-server/.

which do exactly what @John_Mitsch suggested, remove the h2 protocol from the defaults.
here is the foreman PR that will make devs life a bit easier: Fixes #32437 - fix webpack-dev-server h2 issue by laviro · Pull Request #8475 · theforeman/foreman · GitHub

I don’t see this as a final solution, but at least it will give us some air while upgrading webpack