fix(@stdlib/net/http2-secure-server): regenerate expired self-signed TLS test certificate#13454
Closed
Planeshifter wants to merge 1 commit into
Closed
Conversation
…TLS test certificate
The jobs `linux_test` (Node.js v16) and `macos_test` (Node.js v16) have
failed on develop every scheduled run for the past month with:
Error [ERR_HTTP2_STREAM_CANCEL]: The pending stream has been
canceled (caused by: certificate has expired)
code: 'CERT_HAS_EXPIRED'
Root cause: `test/fixtures/localhost-cert.pem`, the self-signed
CN=localhost certificate the package's own test suite uses to spin
up a real HTTP/2 TLS server, expired on 2025-09-15 (30-day validity).
The sibling `examples/localhost-cert.pem`, used by the package's
runnable example, had the same 30-day validity and was already
expired too.
This commit regenerates both self-signed cert/key pairs (openssl
req -x509 -newkey rsa:2048 -nodes -days 7300 -sha256
-subj "/CN=localhost"), preserving the original algorithm, key size,
and subject, but with a 20-year validity window to avoid this
recurring. File names and paths are unchanged, so no other code
needed updating.
Ref: https://github.com/stdlib-js/stdlib/actions/runs/29187749388
Contributor
Coverage Report
The above coverage report was generated for the changes in this PR. |
Member
|
I believe this is a duplicate PR. |
Member
Author
|
Confirmed — #13330 already proposes the identical fix (same certificate regeneration). Closing this in favor of that one. Generated by Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request:
linux_test(Node.js v16) andmacos_test(Node.js v16), which have failed on develop every scheduled run for the past month withError [ERR_HTTP2_STREAM_CANCEL]: The pending stream has been canceled (caused by: certificate has expired)/code: 'CERT_HAS_EXPIRED'. Root cause:test/fixtures/localhost-cert.pem, the self-signedCN=localhostcertificate the package's own test suite uses to spin up a real HTTP/2 TLS server, expired on 2025-09-15 (30-day validity). The siblingexamples/localhost-cert.pem, used by the package's runnable example, had the same 30-day validity and was already expired too.openssl req -x509 -newkey rsa:2048 -nodes -days 7300 -sha256 -subj "/CN=localhost"), preserving the original algorithm, key size, and subject, with a 20-year validity window to avoid this recurring. File names and paths are unchanged, so no other code needed updating.Questions
No.
Other
Failing run: https://github.com/stdlib-js/stdlib/actions/runs/29187749388 (macos_test; linux_test fails the same way on its Node.js v16 leg, e.g. https://github.com/stdlib-js/stdlib/actions/runs/29241732795).
Symptom:
Error [ERR_HTTP2_STREAM_CANCEL]: The pending stream has been canceled (caused by: certificate has expired),code: 'CERT_HAS_EXPIRED', in the test case "the server will use a provided request listener".Validation: no scripted or documented certificate-generation process exists in this package or elsewhere in the repo (this is the only cert/key fixture pair in stdlib), so the certs were regenerated directly with
openssl. Verified: new cert/key pairs match (openssl x509 -pubkeyvsopenssl pkey -pubout); new certs are not expired and preserve the original 2048-bit RSA / sha256WithRSAEncryption /CN=localhoststructure. Ran a live functional reproduction in this sandbox — a realhttp2.createSecureServerusing the new test-fixtures cert/key, with a realhttp2client connecting viaca: CERT— and confirmed a full request/response round-trip with no TLS error, exercising the exact failing test case. Reviewed in three passes: correctness (confirmed the fix resolves the failure and introduces no new TLS/hostname-verification risk — both old and new certs lack a SAN extension, which is a pre-existing, unchanged characteristic, not a regression), regression scope (confirmed exactly 4 files changed, no other package or file references these certs by fingerprint/serial/expiry, private test keys were already committed to the repo under the same pattern), and style/conventions (confirmed no established generation script was bypassed; confirmedfixis the correct commit type perdocs/style-guides/git/README.md's mixed-type priority rule, since this repairs a functional break spanning bothtest/fixtures/andexamples/).Reviewer notes
Non-blocking: no documented
opensslinvocation exists anywhere for regenerating these fixtures, so a future maintainer will have to reconstruct the command from this PR's commit message when these certs eventually need regenerating again (in ~20 years). Not addressed here to keep the fix minimal.Checklist
AI Assistance
If you answered "yes" above, how did you use AI assistance?
Disclosure
This PR was written primarily by Claude Code, investigating a GitHub Actions run failure and regenerating the affected certificate fixtures.
@stdlib-js/reviewers
Generated by Claude Code