Skip to content

Add plain HTTP server for redirect and CA download#3474

Open
praseodym wants to merge 1 commit into
mainfrom
3412-http-server
Open

Add plain HTTP server for redirect and CA download#3474
praseodym wants to merge 1 commit into
mainfrom
3412-http-server

Conversation

@praseodym

Copy link
Copy Markdown
Contributor

What & why

Add a plaintext HTTP server that redirects to HTTPS and makes the CA certificates available on HTTP, so that the CA certificate can be imported into client browser trust stores. Resolves #3412.

We need to document that the fingerprint of the downloaded certificate should be verified against the fingerprint logged by the Abacus server, to prevent man-in-the-middle attacks.

How to test

From a terminal:

cargo run --features tls
# and in another terminal
curl -v localhost:8080
curl -v localhost:8080/ca.pem
curl -v localhost:8080/ca.cer
curl --cacert tls/ca.pem -v https://localhost:8443/ca.pem
curl --cacert tls/ca.pem -v https://localhost:8443/ca.cer

Then check that the redirect works and that the CA certificates are available.

Reviewer notes

None.

@praseodym praseodym self-assigned this Jun 26, 2026
@praseodym praseodym requested a review from a team as a code owner June 26, 2026 10:25
@praseodym praseodym added the backend Issues or pull requests that relate to the backend label Jun 26, 2026

@stacktraceghost stacktraceghost left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on Windows and Linux, both work.

We need to document that the fingerprint of the downloaded certificate should be verified against the fingerprint logged by the Abacus server, to prevent man-in-the-middle attacks.

Is there an issue for this? We also need some documentation for adding the CA cert in Windows to the correct store.

Comment thread backend/README.md
To trust the server, import the CA into the client trust store: `ca.pem` on
Linux/macOS/Firefox, `ca.cer` (DER) on Windows.
Linux/macOS/Firefox, `ca.cer` (DER) on Windows. The CA can be downloaded from the
running server at `/ca.pem` and `/ca.cer`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
running server at `/ca.pem` and `/ca.cer`.
running plain HTTP server at `/ca.pem` and `/ca.cer`.

@praseodym

Copy link
Copy Markdown
Contributor Author

Is there an issue for this? We also need some documentation for adding the CA cert in Windows to the correct store.

Just created kiesraad/abacus-documentatie#76, thanks for mentioning this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend Issues or pull requests that relate to the backend

Projects

None yet

Development

Successfully merging this pull request may close these issues.

HTTP redirect to HTTPS, HTTP CA download

2 participants