Many of us are seeing NS_ERROR_NET_INADEQUATE_SECURITY or similar browser error when going to https://$HOSTNAME:3808, which is where webpack assets are served. This is happening on new devel boxes.
I looked into this today and was able to come up with a hacky workaround:
My understanding is we are using HTTP/2 and the certs used don’t have the TLS requirements for HTTP/2 required by the browser. Switching to HTTP/1.1, which the above change does, “fixes” it.
It looks like webpack uses katello’s apache certs, assuming it’s still using $WEBPACK_OPTS from .env. However, even the self-signed ones that are generated by webpack are causing the same error (when you remove the cert arguments from webpack-dev-server but keep --https it will generate it’s own self-signed certificate).
I’m not sure what exactly changed - Did we start using HTTP/2 for webpack somehow? Something changed in the installer? Something expired in 2021?
This is where my investigation ends, but maybe someone has an idea of how to debug further so we can permanently fix this in the dev environment!
Thanks, I was looking for what actually made a change, such as using http 2 instead of 1.1, but I couldn’t find any changes in the npm packages touching this area. Though, it’s entirely possible something changed there given the amount of packages.
I think the best path forward is to upgrade webpack and either disabling http2 or figuring out the http2 security requirements and making sure we are filling them.