Skip to content

fix(@stdlib/net/http2-secure-server): regenerate expired self-signed TLS test certificate#13454

Closed
Planeshifter wants to merge 1 commit into
developfrom
philipp/ci-fix-http2-secure-server-expired-cert-2026-07-13
Closed

fix(@stdlib/net/http2-secure-server): regenerate expired self-signed TLS test certificate#13454
Planeshifter wants to merge 1 commit into
developfrom
philipp/ci-fix-http2-secure-server-expired-cert-2026-07-13

Conversation

@Planeshifter

Copy link
Copy Markdown
Member

Description

What is the purpose of this pull request?

This pull request:

  • Fixes linux_test (Node.js v16) and macos_test (Node.js v16), which have failed on develop every scheduled run for the past month with Error [ERR_HTTP2_STREAM_CANCEL]: The pending stream has been canceled (caused by: certificate has expired) / code: 'CERT_HAS_EXPIRED'. Root cause: test/fixtures/localhost-cert.pem, the self-signed CN=localhost certificate the package's own test suite uses to spin up a real HTTP/2 TLS server, expired on 2025-09-15 (30-day validity). The sibling examples/localhost-cert.pem, used by the package's runnable example, had the same 30-day validity and was already expired too.
  • Regenerates both self-signed cert/key pairs (openssl req -x509 -newkey rsa:2048 -nodes -days 7300 -sha256 -subj "/CN=localhost"), preserving the original algorithm, key size, and subject, with a 20-year validity window to avoid this recurring. File names and paths are unchanged, so no other code needed updating.

Questions

Any questions for reviewers of this pull request?

No.

Other

Any other information relevant to this pull request? This may include screenshots, references, and/or implementation notes.

Failing run: https://github.com/stdlib-js/stdlib/actions/runs/29187749388 (macos_test; linux_test fails the same way on its Node.js v16 leg, e.g. https://github.com/stdlib-js/stdlib/actions/runs/29241732795).

Symptom: Error [ERR_HTTP2_STREAM_CANCEL]: The pending stream has been canceled (caused by: certificate has expired), code: 'CERT_HAS_EXPIRED', in the test case "the server will use a provided request listener".

Validation: no scripted or documented certificate-generation process exists in this package or elsewhere in the repo (this is the only cert/key fixture pair in stdlib), so the certs were regenerated directly with openssl. Verified: new cert/key pairs match (openssl x509 -pubkey vs openssl pkey -pubout); new certs are not expired and preserve the original 2048-bit RSA / sha256WithRSAEncryption / CN=localhost structure. Ran a live functional reproduction in this sandbox — a real http2.createSecureServer using the new test-fixtures cert/key, with a real http2 client connecting via ca: CERT — and confirmed a full request/response round-trip with no TLS error, exercising the exact failing test case. Reviewed in three passes: correctness (confirmed the fix resolves the failure and introduces no new TLS/hostname-verification risk — both old and new certs lack a SAN extension, which is a pre-existing, unchanged characteristic, not a regression), regression scope (confirmed exactly 4 files changed, no other package or file references these certs by fingerprint/serial/expiry, private test keys were already committed to the repo under the same pattern), and style/conventions (confirmed no established generation script was bypassed; confirmed fix is the correct commit type per docs/style-guides/git/README.md's mixed-type priority rule, since this repairs a functional break spanning both test/fixtures/ and examples/).

Reviewer notes

Non-blocking: no documented openssl invocation exists anywhere for regenerating these fixtures, so a future maintainer will have to reconstruct the command from this PR's commit message when these certs eventually need regenerating again (in ~20 years). Not addressed here to keep the fix minimal.

Checklist

Please ensure the following tasks are completed before submitting this pull request.

AI Assistance

When authoring the changes proposed in this PR, did you use any kind of AI assistance?

  • Yes
  • No

If you answered "yes" above, how did you use AI assistance?

  • Code generation (e.g., when writing an implementation or fixing a bug)
  • Test/benchmark generation
  • Documentation (including examples)
  • Research and understanding

Disclosure

If you answered "yes" to using AI assistance, please provide a short disclosure indicating how you used AI assistance. This helps reviewers determine how much scrutiny to apply when reviewing your contribution. Example disclosures: "This PR was written primarily by Claude Code." or "I consulted ChatGPT to understand the codebase, but the proposed changes were fully authored manually by myself.".

This PR was written primarily by Claude Code, investigating a GitHub Actions run failure and regenerating the affected certificate fixtures.


@stdlib-js/reviewers


Generated by Claude Code

…TLS test certificate

The jobs `linux_test` (Node.js v16) and `macos_test` (Node.js v16) have
failed on develop every scheduled run for the past month with:

  Error [ERR_HTTP2_STREAM_CANCEL]: The pending stream has been
  canceled (caused by: certificate has expired)
    code: 'CERT_HAS_EXPIRED'

Root cause: `test/fixtures/localhost-cert.pem`, the self-signed
CN=localhost certificate the package's own test suite uses to spin
up a real HTTP/2 TLS server, expired on 2025-09-15 (30-day validity).
The sibling `examples/localhost-cert.pem`, used by the package's
runnable example, had the same 30-day validity and was already
expired too.

This commit regenerates both self-signed cert/key pairs (openssl
req -x509 -newkey rsa:2048 -nodes -days 7300 -sha256
-subj "/CN=localhost"), preserving the original algorithm, key size,
and subject, but with a 20-year validity window to avoid this
recurring. File names and paths are unchanged, so no other code
needed updating.

Ref: https://github.com/stdlib-js/stdlib/actions/runs/29187749388
@stdlib-bot

Copy link
Copy Markdown
Contributor

Coverage Report

Package Statements Branches Functions Lines
net/http2-secure-server $\\color{red}413/418$
$\\color{green}+98.80\\%$
$\\color{red}48/50$
$\\color{green}+96.00\\%$
$\\color{red}5/6$
$\\color{green}+83.33\\%$
$\\color{red}413/418$
$\\color{green}+98.80\\%$

The above coverage report was generated for the changes in this PR.

@kgryte

kgryte commented Jul 13, 2026

Copy link
Copy Markdown
Member

I believe this is a duplicate PR.

Copy link
Copy Markdown
Member Author

Confirmed — #13330 already proposes the identical fix (same certificate regeneration). Closing this in favor of that one.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants