This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new d89e601 Remove localhost from the certificate generator and clarify
the reasoning
d89e601 is described below
commit d89e601b6386d2c09070d023796d42a406caa14a
Author: Sean B. Palmer <[email protected]>
AuthorDate: Fri Jan 9 15:15:37 2026 +0000
Remove localhost from the certificate generator and clarify the reasoning
---
Makefile | 10 +++++-----
atr/config.py | 2 +-
atr/docs/running-the-server.md | 4 ++--
docker-compose.yml | 2 +-
tests/docker-compose.yml | 4 ++--
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/Makefile b/Makefile
index 2089f6b..d3c749b 100644
--- a/Makefile
+++ b/Makefile
@@ -41,7 +41,7 @@ certs:
fi
certs-local:
- cd state && mkcert localhost.apache.org localhost 127.0.0.1 ::1
+ cd state && mkcert localhost.apache.org 127.0.0.1 ::1
check:
git add -A
@@ -88,8 +88,8 @@ run-alpine:
docker run --rm --init --user "$$(id -u):$$(id -g)" \
-p 8080:8080 -p 2222:2222 \
-v "$$PWD/state:/opt/atr/state" \
- -v
"$$PWD/state/localhost.apache.org+3-key.pem:/opt/atr/state/key.pem" \
- -v "$$PWD/state/localhost.apache.org+3.pem:/opt/atr/state/cert.pem" \
+ -v
"$$PWD/state/localhost.apache.org+2-key.pem:/opt/atr/state/key.pem" \
+ -v "$$PWD/state/localhost.apache.org+2.pem:/opt/atr/state/cert.pem" \
-e APP_HOST=localhost.apache.org:8080 -e
SECRET_KEY=insecure-local-key \
-e ALLOW_TESTS=1 -e SSH_HOST=0.0.0.0 -e BIND=0.0.0.0:8080 \
tooling-trusted-release
@@ -102,13 +102,13 @@ run-playwright-slow:
serve:
SSH_HOST=127.0.0.1 uv run --frozen hypercorn --bind $(BIND) \
- --keyfile localhost.apache.org+3-key.pem --certfile
localhost.apache.org+3.pem \
+ --keyfile localhost.apache.org+2-key.pem --certfile
localhost.apache.org+2.pem \
atr.server:app --debug --reload --worker-class uvloop
serve-local:
APP_HOST=localhost.apache.org:8080 SECRET_KEY=insecure-local-key \
ALLOW_TESTS=1 SSH_HOST=127.0.0.1 uv run --frozen hypercorn --bind
$(BIND) \
- --keyfile localhost.apache.org+3-key.pem --certfile
localhost.apache.org+3.pem \
+ --keyfile localhost.apache.org+2-key.pem --certfile
localhost.apache.org+2.pem \
atr.server:app --debug --reload --worker-class uvloop
sync:
diff --git a/atr/config.py b/atr/config.py
index 41195a9..a455d82 100644
--- a/atr/config.py
+++ b/atr/config.py
@@ -45,7 +45,7 @@ def _config_secrets(key: str, state_dir: str, default: str |
None = None, cast:
class AppConfig:
ALLOW_TESTS = decouple.config("ALLOW_TESTS", default=False, cast=bool)
- APP_HOST = decouple.config("APP_HOST", default="localhost")
+ APP_HOST = decouple.config("APP_HOST", default="127.0.0.1")
SSH_HOST = decouple.config("SSH_HOST", default="0.0.0.0")
SSH_PORT = decouple.config("SSH_PORT", default=2222, cast=int)
PROJECT_ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
diff --git a/atr/docs/running-the-server.md b/atr/docs/running-the-server.md
index 757b86a..e287f4c 100644
--- a/atr/docs/running-the-server.md
+++ b/atr/docs/running-the-server.md
@@ -64,7 +64,7 @@ make certs-local
make serve-local
```
-The `certs-local` step runs `mkcert localhost.apache.org localhost 127.0.0.1
::1` to generate a locally trusted TLS certificate. If the certificate is not
trusted, you may have to follow the [mkcert
guide](https://github.com/FiloSottile/mkcert/blob/master/README.md) to resolve
the issue.
+The `certs-local` step runs `mkcert localhost.apache.org 127.0.0.1 ::1` to
generate a locally trusted TLS certificate. To avoid potential DNS resolution
issues such as [those alluded to in RFC
8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3), we do not
include `localhost`. If the certificate is not trusted, you may have to follow
the [mkcert guide](https://github.com/FiloSottile/mkcert/blob/master/README.md)
to resolve the issue.
ATR requires TLS even for development because login is performed through the
actual ASF OAuth server. This way, the development behavior aligns closely with
the production behavior. We try to minimize differences between development and
production environments.
@@ -74,7 +74,7 @@ ATR will then be served on various hosts, but we recommend
using only `localhost
[`https://localhost.apache.org:8080/`](https://localhost.apache.org:8080/)
-If you do not want to change your `/etc/hosts`, you can use `127.0.0.1`. You
should not use `localhost`. The following link should work:
+If you do not want to change your `/etc/hosts`, you can use `127.0.0.1`. The
following link should work:
[`https://127.0.0.1:8080/`](https://127.0.0.1:8080/)
diff --git a/docker-compose.yml b/docker-compose.yml
index 64e7da5..0e4044f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,7 @@ services:
ports:
- 8080:8080
healthcheck:
- test: ["CMD", "curl", "-k", "-f", "https://localhost:8080/";]
+ test: ["CMD", "curl", "-k", "-f", "https://127.0.0.1:8080/";]
interval: 2s
timeout: 1s
retries: 30
diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
index fd85a7c..7855176 100644
--- a/tests/docker-compose.yml
+++ b/tests/docker-compose.yml
@@ -12,7 +12,7 @@ services:
networks:
- test-network
healthcheck:
- test: ["CMD", "curl", "-k", "-f", "https://localhost:8080/";]
+ test: ["CMD", "curl", "-k", "-f", "https://127.0.0.1:8080/";]
interval: 2s
timeout: 1s
retries: 30
@@ -35,7 +35,7 @@ services:
- ../start-dev.sh:/opt/atr/start-atr.sh
- atr-dev-state:/opt/atr/state
healthcheck:
- test: ["CMD", "curl", "-k", "-f", "https://localhost:8080/";]
+ test: ["CMD", "curl", "-k", "-f", "https://127.0.0.1:8080/";]
interval: 2s
timeout: 1s
retries: 30
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
