HTTPS dev (with custom key/cert) broken after 1.0.0-next.168

[talgolan]

Describe the bug

svelte-kit dev --https does not work with user-configured key/cert after 1.0.0-next.168

Reproduction

https://github.com/talgolan/sveltekit-https-dev

SvelteKit HTTPS Example:

This respository is designed to demonstrate the following:

[ Via @sveltejs/kit: 1.0.0-next.168 ]

• Simplest possible configuration to allow for HTTPS development @ https://localhost:8080

[ Via @sveltejs/kit: 1.0.0-next.184 (any version > 168) ]

• BROKEN for HTTPS development @ https://localhost:8080

Assumption:

• Mac OS
• brew (https://brew.sh/) installed

Instructions (part 1):

1. git clone https://github.com/talgolan/sveltekit-https-dev.git
2. cd sveltekit-https-dev
3. npm install
4. npm run install_mkcert
5. Open browser @ https://localhost:8080

First observation:

• Notice "SvelteKit v1.0.0-next.168"
• When the browser opens (Chrome/Firefox/Safari) there will be no security warning.

Instructions (part 2):

1. ctrl-c
2. npm run switch
3. npm run dev
4. Open browser @ https://localhost:8080

Second observation:

• Notice "SvelteKit v1.0.0-next.184"
• When the browser opens (Chrome/Firefox/Safari) there will be an obvious security warning.

Instructions (part 3):

1. ctrl-c
2. npm run switch
3. npm run dev
4. Open browser @ https://localhost:8080

Third observation:

• Notice "SvelteKit v1.0.0-next.168"
• When the browser opens (Chrome/Firefox/Safari) the security warning is gone.

Final observation:

• SvelteKit v1.0.0-next.168 works for HTTPS development
• SvelteKit v1.0.0-next.184 (versions > v1.0.0-next.168) are not properly passing key/cert information.

Logs

No response

System Info

System:
    OS: macOS 11.6
    CPU: (8) x64 Intel(R) Core(TM) i7-8569U CPU @ 2.80GHz
    Memory: 178.17 MB / 16.00 GB
    Shell: 3.2.57 - /bin/bash
  Binaries:
    Node: 16.5.0 - ~/.nvm/versions/node/v16.5.0/bin/node
    npm: 7.19.1 - ~/.nvm/versions/node/v16.5.0/bin/npm
  Browsers:
    Chrome: 94.0.4606.81
    Firefox: 93.0
    Safari: 15.0
  npmPackages:
    @sveltejs/kit: 1.0.0-next.168 => 1.0.0-next.168
    svelte: ^3.43.2 => 3.43.2

Severity

blocking an upgrade

Additional Information

No response

[talgolan]

@benmccann: Here is the issue per your request.

[benmccann]

Thanks @talgolan! A couple clarifications:

• I'm assuming you also need to run npm run dev in "part 1"?
• Why are you suggesting to visit http://localhost:8080/? The default port for SvelteKit is different
• Are "part 1" and "part 3" testing anything different? They both look like they're testing version 168, but I didn't know if there's some other subtle difference between them that I might be missing

[talgolan]

@benmccann:

• In part 1, running npm run install_mkcert executes npm run dev for you.
• You will see in the package.json files that I specify port 8080. This is my convention.
• Yes. Parts 1 & 3 show things working at 168.

[benmccann]

I can't run install_mkcert because I'm on Linux and it assumes brew is installed. Could you update the repo to just check in the certificate files instead? Or do they need to be specific to the machine being run on?

[talgolan]

@benmccann: mkcert works on Linux.

Just follow the instructions here...

https://github.com/FiloSottile/mkcert

Jump to the Linux section.

You need to install certutil first.

FYI:

As you know, localhost gets special treatment by all OSs. mkcert not only simplifies the key/cert generation processes, it puts the certs into the correct browser "trusted stores."

I'm pretty sure once you install certutil (per the mkcert Linux instructions), you should be able to just run npm run install_mkcert.

If you run into any issues, just look at install_mkcert.sh. It is a painfully basic script.

[benmccann]

Ok. I finally got it working. I had to add -install to the script because it wasn't installing the cert. I also was trying to figure out why the browser was just hanging for the longest time and it's because I was going to http:// instead of https:// 😕 Hopefully now I can make some progress at looking at this

[talgolan]

Awesome. Thank you.

[benmccann]

I found a few different bugs:

• It looks like the --https option set to true is overriding the https options object from the config. I'm not sure if I'd consider that a bug or not. I suppose I'd lean towards yes, but it does make things more complicated. Vite doesn't seem to have an --https CLI option, so it's not an issue for them
• If no --https flag is provided, but there's an https config then it fails
• It's printing the wrong URL at start when there's no --https flag, but there is an https config

[talgolan]

What changed with respect to this at v168+?

[talgolan]

@benmccann: I just upgraded to 1.0.0-next.188 and everything is working as expected. Thank you!