daniel/furtka
1
1
Fork 0
Code Issues 1 Pull requests Projects 1 Releases 13 Packages Wiki Activity Actions
furtka/tests
History
Daniel Maksymilian Syrnicki 8fbe67ffb9
Some checks failed
Build ISO / build-iso (push) Waiting to run
Details
CI / lint (push) Failing after 2m11s
Details
CI / test (push) Successful in 2m8s
Details
CI / validate-json (push) Successful in 55s
Details
CI / markdown-links (push) Successful in 25s
Details
Deploy site / deploy (push) Successful in 8s
Details
fix(https): restore TLS handshake — name hostname + correct PKI path 
Closes #10. Two linked bugs in 26.4-alpha's Phase 1 HTTPS made the
force-HTTPS toggle fatal: every SNI handshake on :443 died with
SSL_ERROR_INTERNAL_ERROR_ALERT, so the toggle redirected users from
working HTTP to broken HTTPS.

Root cause 1: bare `:443 { tls internal }` gives Caddy no hostname to
issue a leaf cert for, so /var/lib/caddy/certificates/ stayed empty and
Caddy sent TLS `internal_error` on every handshake. Fix: the :443 block
is now `__FURTKA_HOSTNAME__.local, __FURTKA_HOSTNAME__ { tls internal }`,
with the marker substituted by webinstaller/app.py at install time and
by furtka.updater._refresh_caddyfile on self-update (reads /etc/hostname,
falls back to "furtka"). `auto_https disable_redirects` keeps Caddy's
built-in redirect out of the way of the /settings toggle.

Root cause 2: furtka/https.py and the /rootCA.crt handler both referenced
/var/lib/caddy/.local/share/caddy/pki/authorities/local/ — a path that
doesn't exist. caddy.service sets XDG_DATA_HOME=/var/lib, so Caddy's
storage is /var/lib/caddy/ directly. Fix: both paths corrected.

Verified on the 192.168.178.110 smoke VM by swapping the Caddyfile in,
reloading, handshaking, restoring: TLS 1.3 handshake succeeds, leaf cert
issued under /var/lib/caddy/certificates/local/, /rootCA.crt returns 200.

Tests: new cases assert the Caddyfile ships the hostname placeholder,
the webinstaller substitutes it, _refresh_caddyfile re-substitutes from
/etc/hostname on update, and the asset sets auto_https disable_redirects.
Unit tests still stub the Caddy reload — the real handshake regression
needs a smoke-VM integration test (follow-up, separate from this fix).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 11:39:48 +02:00
..
test_api.py feat(furtka): Furtka-updates card on /settings + API endpoints 2026-04-16 13:44:34 +02:00
test_app.py feat(furtka): serve from /opt/furtka/current, retire /srv/furtka/www/ 2026-04-16 13:15:59 +02:00
test_cli.py feat(furtka): reconciler + install/remove — slice 2 2026-04-15 10:02:00 +02:00
test_drives.py feat(webinstaller): plain-English drive picker on step 2 2026-04-16 12:01:57 +02:00
test_https.py feat(https): local HTTPS via Caddy tls internal + opt-in redirect toggle 2026-04-17 12:19:06 +02:00
test_installer.py feat(furtka): in-browser app settings + ISO recovery-path fixes 2026-04-15 13:00:02 +02:00
test_manifest.py feat(furtka): in-browser app settings + ISO recovery-path fixes 2026-04-15 13:00:02 +02:00
test_reconciler.py fix(furtka): audit follow-ups — placeholder secrets, isolate reconcile, .env perms 2026-04-15 10:17:00 +02:00
test_scanner.py feat(furtka): resource-manager skeleton — manifest, scanner, CLI 2026-04-15 09:59:41 +02:00
test_updater.py fix(https): restore TLS handshake — name hostname + correct PKI path 2026-04-20 11:39:48 +02:00
test_webinstaller_assets.py fix(https): restore TLS handshake — name hostname + correct PKI path 2026-04-20 11:39:48 +02:00