so

HTTPS sure is inconvenient sometimes

Volume 7, Issue 52; 31 Dec 2023

I understand the motivation behind HTTPS, and I support the idea of a more secure web. But 🙄.

For complicated reasons that aren’t relevant, I’ve been fussing about with tasks that don’t require a lot of concentration (I might be interrupted at any moment, so it’s hard to focus).

I got a bee in my bonnet to tinker with ActivityPub. This is partly because I’m interested in knowing more about the protocol, partly because someone asked, and partly because I’ve had no luck whatsoever with Pixelfed and I wonder if publishing my photos this way would satisfy my desire to have them be more “social” but still wholly under my control.

The first experiment is, can I support “following” this weblog on Mastodon?

I should be able to make this work with the infrastructure I’m using, but I obviously need to be able to test the bits I’m working on, and I have it on good authority that I’m not going to find it easy to do just from reading the specifications. Fine. A little protocol hacking is good for the soul. Or something.

I can configure a test Mastodon instance to run in a Docker container. ✔

Mastodon will only work with HTTPS. That’s a pain, but I can configure a self-signed certificate and I can configure nginx and I can tell the browser to leave me alone, I know what I’m doing, just show me the damned page. ✔

The test harness for my weblog also runs in a Docker container. ✔

In order to avoid having to fuss with port numbers, I can run those two containers on different physical machines so that the default HTTP ports will work. ✔

But Mastodon won’t talk to my weblog unless it’s also running HTTPS. That’s a pain, but I can configure a self-signed certificate and I can configure nginx and I can tell the browser to leave me alone, I know what I’m doing, just show me the damned page. ✔

Now I can tell my Mastodon test instance that I want to follow @norm@hackmatack.local and it’ll work, right?

No. I spent a bunch of time poking about absolutely certain that the problem was related to the self-signed certificate. But I think the first problem is that the Mastodon server is utterly confused about the network configuration.

In ipaddr.rb, we get an InvalidAddressError because, checks notes, addr.count(':') <= 7 . I have no idea how or why it thinks there’s any IPv6 around here. Sigh.

I still think it would balk at the self-signed certificate though, if it got that far. I think it is possible to work around this by making a certificate chain and storing the “root certificate” somewhere, but see what I mean about inconvenient?

(I have tested that the Docker container where the Mastodon instance is running can get to the weblog with curl https://hackmatack.local/ but only, natch, if I use -k to tell curl to accept the self-signed certificate.)

I don’t really feel like punching a hole in my firewall so that public traffic from the Internet can reach my laptop, but I can, in principle, spin up an actual public-facing server somewhere with an actual certificate and it will (probably?) work. But it’s going to be that much more of a PITA to do the development that way.

You’d think there’d be an easier answer for this, but if there is, the increasingly less useful search engines of the web are not revealing it to me.

#The Web