26.15-alpha - daniel/furtka - Forgejo: Beyond coding. We Forge.

daniel/furtka

Fork 0

RSS feed

26.15-alpha e68ed279cc
26.15-alpha

All checks were successful

Build ISO / build-iso (push) Successful in 17m23s

Details

CI / lint (push) Successful in 27s

Details

CI / test (push) Successful in 1m2s

Details

CI / validate-json (push) Successful in 24s

Details

CI / markdown-links (push) Successful in 15s

Details

Release / release (push) Successful in 11m34s

Details

Pre-release

daniel released this 2026-04-21 19:30:04 +02:00 | 5 commits to main since this release
Fixed
- HTTPS is now opt-in; fresh installs no longer hit unbypassable
  SEC_ERROR_BAD_SIGNATURE. Every version since 26.5 shipped a
  Caddyfile with a __FURTKA_HOSTNAME__.local { tls internal } site
  block, so Caddy auto-generated a self-signed root CA + intermediate
  - leaf on first boot. That worked for first-time-ever users, but
    every reinstall (or second Furtka box on the same LAN) produced a
    new CA with the same intermediate CN (Caddy Local Authority - ECC Intermediate — Caddy hardcodes it). Any browser that had ever
    trusted an earlier Furtka CA got a cached intermediate with
    mismatched keys, then Firefox's cert lookup substituted the cached
    intermediate when validating the new box's leaf → the signature
    check failed → SEC_ERROR_BAD_SIGNATURE, which Firefox has no
    "Advanced → Accept Risk" bypass for.
  - Removed the hostname site block from the default Caddyfile.
    Fresh installs serve :80 only; visiting https://furtka.local
    now yields a clean connection-refused instead of the crypto
    fault.
  - Added top-level import /etc/caddy/furtka-https.d/*.caddyfile.
    The /settings HTTPS toggle (via furtka.https.set_force_https)
    now writes TWO snippets atomically — the top-level hostname +
    tls internal block (enables :443) and the :80-scoped
    redirect (forces HTTP → HTTPS) — and removes both on disable.
    Caddy reloads after the pair-swap; failure rolls both back.
  - Webinstaller creates /etc/caddy/furtka-https.d/ during
    post-install alongside the existing furtka.d/.
  - updater._refresh_caddyfile runs a 26.14 → 26.15 migration: if
    the box already had the redirect snippet on disk (user had
    explicitly enabled "Force HTTPS" under the old regime), the
    migration also writes the new listener snippet so HTTPS keeps
    working across the upgrade.
- status.force_https now reads the listener snippet, not the
  redirect snippet. A lone redirect without a :443 listener
  wouldn't actually serve HTTPS, so the listener file is the
  authoritative "HTTPS is on" signal. The UI on /settings sees the
  correct state as a result.
Known remaining UX wart: a browser that trusted a previous Furtka box
still sees BAD_SIGNATURE when visiting this box's https:// after
enabling HTTPS here — the fixed intermediate CN is a Caddy-side
limitation we can't fix from Furtka. Fresh installs on a browser that
never visited another Furtka box work correctly. Workaround:
about:networking#sts → Forget → clear cert9.db.
Downloads
- Source code (ZIP)
  1 download
- Source code (TAR.GZ)
  1 download
- furtka-26.15-alpha.iso
  2 downloads · 1.4 GiB
- furtka-26.15-alpha.tar.gz
  4 downloads · 60 KiB
- furtka-26.15-alpha.tar.gz.sha256
  2 downloads · 92 B
- release.json
  1 download · 173 B

13 releases 15 tags

Fixed