New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support configuring the puma server to use SSL #2028

Merged
merged 1 commit into from May 8, 2018

Conversation

Projects
None yet
3 participants
@twalpole
Collaborator

twalpole commented May 1, 2018

This supports configuring the puma server to use SSL via setting Capybara.server along the lines of

Capybara.server = :puma, { Host: "ssl://#{Capybara.server_host}?key=<key_file>&cert=<cert_file>"

It should work with other server types that are configured to run SSL too

@twalpole twalpole force-pushed the ssl_support branch from 89b4d9c to 55803b7 May 1, 2018

@skryshi

This comment has been minimized.

skryshi commented May 2, 2018

I can verify that Capybara does start puma server in ssl mode, but then it hangs for a long time and eventually errors out with: Net::ReadTimeout

My rails_helper.rb:

Capybara.app_host = "https://www-test.localhost.local:3200"
Capybara.asset_host = "https://www-test.localhost.local:3200"
Capybara.server_host = "www-test.localhost.local"
Capybara.server_port = "3200"

Capybara.server = :puma, { Host: "ssl://#{Capybara.server_host}:#{Capybara.server_port}?key=#{ENV['SSL_KEY_PATH']}&cert=#{ENV['SSL_CERT_PATH']}" }
Capybara.javascript_driver = :selenium_chrome

Capybara output:

Capybara starting Puma...
* Version 3.11.4 , codename: Love Song
* Min threads: 0, max threads: 4
* Listening on ssl://www-test.localhost.local:3200?key=/usr/local/ssl/localhost.key&cert=/usr/local/ssl/localhost.crt

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 2, 2018

@skryshi The only real differences I see between your config and what the added test in this PR does are

  1. You're specifying the server_port both directly (which should be an integer not a string) and in the puma Host config. Do you have a specific reason for needing to do that?

  2. You're specifying app_host which shouldn't be necessary, do you have a specific reason for doing that?

What code location is the Net::ReadTimeout error being generated from?

You also may need to specify a valid ca in the puma Host config if you haven't configured whatever driver you're using not to validate certs

One other issue with your config which shouldn't be affecting this is specifying asset_host as the same location as 'app_host' - it kind of defeats the whole purpose of asset_host.

@skryshi

This comment has been minimized.

skryshi commented May 2, 2018

@twalpole I commented out my Capybara app_host, server_host, server_port configs in rails_helper.rb, but that changed nothing.

But this:

You also may need to specify a valid ca in the puma Host config if you haven't configured whatever driver you're using not to validate certs

Could be it. I am using a self signed certificate that could be causing puma to hiccup. In development environment I get around that by specifying verify_mode: 'none' in puma.rb. How do I pass that option to puma in Capybara.server setting?

Net::ReadTimeout trace:

      # /Users/arman/.rvm/gems/ruby-2.4.3/gems/webmock-3.4.0/lib/webmock/http_lib_adapters/net_http.rb:97:in `block in request'
      # /Users/arman/.rvm/gems/ruby-2.4.3/gems/webmock-3.4.0/lib/webmock/http_lib_adapters/net_http.rb:105:in `block in request'
      # /Users/arman/.rvm/gems/ruby-2.4.3/gems/webmock-3.4.0/lib/webmock/http_lib_adapters/net_http.rb:137:in `start_with_connect_without_finish'
      # /Users/arman/.rvm/gems/ruby-2.4.3/gems/webmock-3.4.0/lib/webmock/http_lib_adapters/net_http.rb:104:in `request'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara/server.rb:88:in `block in responsive?'
      # /Users/arman/.rvm/gems/ruby-2.4.3/gems/webmock-3.4.0/lib/webmock/http_lib_adapters/net_http.rb:123:in `start_without_connect'
      # /Users/arman/.rvm/gems/ruby-2.4.3/gems/webmock-3.4.0/lib/webmock/http_lib_adapters/net_http.rb:150:in `start'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara/server.rb:88:in `responsive?'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara/server.rb:120:in `boot'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara/session.rb:87:in `initialize'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara.rb:298:in `new'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara.rb:298:in `current_session'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara/dsl.rb:46:in `page'
      # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-55803b792a16/lib/capybara/dsl.rb:51:in `block (2 levels) in <module:DSL>'
@skryshi

This comment has been minimized.

skryshi commented May 2, 2018

No, it wasn't the verify_mode. I figured I can specify it with:

Capybara.server = :puma, { Host: "ssl://#{Capybara.server_host}?key=#{ENV['SSL_KEY_PATH']}&cert=#{ENV['SSL_CERT_PATH']}&verify_mode=none" }

But it still errors out. Now I am out of ideas :(

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 2, 2018

@skryshi You shouldn't need to set the verify mode for puma -- it would be the browser that might need to be set to ignore cert errors, although you should see an error in the console if that was the case. From the stacktrace it looks like it could be something to do with webmock and/or Net::HTTP timeout settings changes. Are you changing any of the default Net::HTTP timeouts, and can you try disabling/removing WebMock to see if the SSL connects then.

@twalpole twalpole closed this May 2, 2018

@twalpole twalpole reopened this May 2, 2018

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 2, 2018

@skryshi I've also added a few extra puts to this PR - so if you could update and try again it may give us a better idea of what's going on.

@skryshi

This comment has been minimized.

skryshi commented May 3, 2018

@twalpole Thank you for investing time into this! I get:

attempting http connection to 127.0.0.1:64942
Got Exception: Errno::ECONNREFUSED
attempting http connection to 127.0.0.1:64942
Got Exception: Errno::ECONNREFUSED
Capybara starting Puma...

  • Version 3.11.4 , codename: Love Song
  • Min threads: 0, max threads: 4
  • Listening on ssl://127.0.0.1:64942?key=/usr/local/ssl/localhost.key&cert=/usr/local/ssl/localhost.crt
    attempting http connection to 127.0.0.1:64942
    Got Exception: Net::ReadTimeout
    attempting http connection to 127.0.0.1:64942
    Got Exception: Net::ReadTimeout
    F

Seems that Capybara is trying to connect over HTTP. How do I tell it to use HTTPS?

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 3, 2018

@skryshi in my setup the attempted http connection gets an EOFError which will cause a failover to attempting an https connection. In your case you’re getting a Net::ReadTimeout which doesn’t currently cause a failover. I would like to understand why you’re getting that rather than just adding it as another failover error. Did you try removing webmock? And have you modified any of the Net::HTTP timeouts?

@skryshi

This comment has been minimized.

skryshi commented May 3, 2018

@twalpole I haven't touched Net:HTTP anywhere in my project. Removing webmock gives the same results:

attempting http connection to 127.0.0.1:52095
Got Exception: Errno::ECONNREFUSED
attempting http connection to 127.0.0.1:52095
Capybara starting Puma...Got Exception: Errno::ECONNREFUSED

* Version 3.11.4 , codename: Love Song
* Min threads: 0, max threads: 4
* Listening on ssl://127.0.0.1:52095?key=/usr/local/ssl/localhost.key&cert=/usr/local/ssl/localhost.crt
attempting http connection to 127.0.0.1:52095
Got Exception: Net::ReadTimeout
F
Failures:

1) Email Sign Up with new email 
 Failure/Error: visit new_user_registration_path
 
 Net::ReadTimeout:
   Net::ReadTimeout
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara/server.rb:89:in `block in responsive?'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara/server.rb:89:in `responsive?'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara/server.rb:125:in `boot'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara/session.rb:87:in `initialize'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara.rb:298:in `new'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara.rb:298:in `current_session'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara/dsl.rb:46:in `page'
 # /Users/arman/.rvm/gems/ruby-2.4.3/bundler/gems/capybara-aac927e53dc0/lib/capybara/dsl.rb:51:in `block (2 levels) in <module:DSL>'
 # ./spec/features/authentication_pages_spec.rb:69:in `block (3 levels) in <top (required)>'

I don't think catching Net::ReadTimeout will work, because that timeout happens after several minutes. It would be impossibly slow to run the tests then. Wouldn't it be better to have a setting, eg. Capybara.use_ssl = true that I can set in config?

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 3, 2018

I can set the read timeout for the specific request - so it shouldn't have to wait minutes - but I would really like to know why your setup is raising that error rather than EOFError

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 3, 2018

@skryshi Give the latest version of the ssl_support branch a try and see what it does.

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 3, 2018

What platform are you running this on?

@twalpole twalpole force-pushed the ssl_support branch 4 times, most recently from c6319d6 to 8cf3f87 May 4, 2018

@twalpole twalpole force-pushed the ssl_support branch from 8cf3f87 to 170bc99 May 8, 2018

@twalpole twalpole merged commit 170bc99 into master May 8, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@aliahmed922

This comment has been minimized.

aliahmed922 commented May 22, 2018

@twalpole I have seen issues over stackoverflow and here as well that Capybara gets hanged after puma is ready with SSL. But in my case everything works fine except my tests are not getting passed in headless chrome or if I want to go with browser approach then I gotta focus my window all the time until all specs are done. It was working fine ever since I added this support.

Additionally I am using subdomains in my application for which I needed to use lvh.me as localhost to support subdomains on locals. So just set up the configuration like this:

Capybara.server_host = 'lvh.me'
Capybara.server = :puma, { Host: "ssl://#{Capybara.server_host}?key=certs/localhost.key&cert=certs/localhost.crt" }

As said everything is working fine but tests are failing in headless chrome, plus I am getting this weird error always

2018-05-22 14:40:59 +0500: SSL error, peer: 127.0.0.1, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request - 336027804>

but I do not get this in development mode. Please provide some help with this.

@twalpole

This comment has been minimized.

Collaborator

twalpole commented May 22, 2018

@aliahmed922

  1. As can be seen from above the PR was merged into master (and then released in version 3.1.0) so you definitely shouldn't be using the ssl_support branch anymore.

  2. The Error message is emitted by Puma and is when Capybara attempts an http connection before https - It's not harmful in any way and can be silenced with the Silent: true option to puma if wanted.

  3. You have provided no info whatsoever about your failing tests so there is nothing we can do.

If you have found an actual issue with Capybara please open a new issue with enough information to reproduce the issue, if all you really have is failing tests that are most likely caused by user issues then please ask on the mailing list (as requested in the README) or on stackoverflow and make sure to provide enough information about the failing tests for someone to be able to diagnose (real code, actual errors, stack trace, etc)

@teamcapybara teamcapybara locked and limited conversation to collaborators May 22, 2018

@twalpole twalpole deleted the ssl_support branch Aug 23, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.