fix: [#21] resolve SSL certificate key usage compatibility for browsers

- Fix ssl-generate-test-certs.sh to generate certificates with correct key usage
  * Added 'critical, digitalSignature, keyEncipherment' to resolve ERR_SSL_KEY_USAGE_INCOMPATIBLE
  * Added basicConstraints = CA:FALSE for proper certificate constraints
  * Certificates now work with modern browsers while maintaining security

- Fix nginx-https-selfsigned.conf.tpl upstream reference error
  * Changed 'proxy_pass http://grafana:3000;' to 'proxy_pass http://grafana;'
  * Fixed HTTP Grafana server configuration to use defined upstream
  * Resolves nginx startup errors and container restart loops

- Enhanced deploy-app.sh endpoint testing
  * Added dual HTTP/HTTPS endpoint validation
  * Improved error handling and certificate warnings
  * Better integration with two-phase SSL approach

The SSL automation now generates browser-compatible certificates and the
nginx configuration works correctly with both HTTP and HTTPS servers
running in parallel for Let's Encrypt support and testing.

Author: josecelano

application/share/bin/ssl-generate-test-certs.sh

@@ -154,9 +154,10 @@ OU=Testing
 CN=${subdomain}
 
 [v3_req]
-keyUsage = keyEncipherment, dataEncipherment
+keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
+basicConstraints = CA:FALSE
 
 [alt_names]
 DNS.1 = ${subdomain}

infrastructure/config/templates/nginx-https-selfsigned.conf.tpl

@@ -125,38 +125,156 @@ server {
     }
 }
 
-# HTTP to HTTPS redirect for tracker subdomain
+# HTTP server configuration (parallel to HTTPS for Let's Encrypt and testing)
+#
+# These HTTP servers run alongside HTTPS servers to provide:
+# 1. Let's Encrypt ACME challenge support on port 80
+# 2. HTTP endpoint testing for integration tests
+# 3. Certificate renewal automation support
+# 4. Fallback access during certificate issues
+
+# HTTP server for tracker subdomain
 server {
     listen 80;
     listen [::]:80;
+
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+
     server_name tracker.${DOMAIN_NAME};
 
-    # Allow Let's Encrypt ACME challenge (for future Let's Encrypt upgrade)
+    # Tracker API endpoints (HTTP access)
+    location /api/ {
+        proxy_pass http://tracker:1212/api/;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+    }
+
+    # Tracker HTTP endpoints
+    location / {
+        proxy_pass http://tracker:7070;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+    }
+
+    # Let's Encrypt ACME challenge
     location ~ /.well-known/acme-challenge {
         allow all;
         root /var/lib/torrust/certbot/webroot;
     }
 
-    # Redirect all other HTTP traffic to HTTPS
-    location / {
-        return 301 https://${DOLLAR}server_name${DOLLAR}request_uri;
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
     }
 }
 
-# HTTP to HTTPS redirect for grafana subdomain
+# HTTP server for grafana subdomain
 server {
     listen 80;
     listen [::]:80;
+
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+
     server_name grafana.${DOMAIN_NAME};
 
-    # Allow Let's Encrypt ACME challenge (for future Let's Encrypt upgrade)
+    # Grafana web interface (HTTP access)
+    location / {
+        proxy_pass http://grafana;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+
+        # WebSocket support for Grafana live features
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+        proxy_set_header Connection ${DOLLAR}connection_upgrade;
+        proxy_read_timeout 86400;
+        proxy_buffering off;
+    }
+
+    # Let's Encrypt ACME challenge
     location ~ /.well-known/acme-challenge {
         allow all;
         root /var/lib/torrust/certbot/webroot;
     }
 
-    # Redirect all other HTTP traffic to HTTPS
-    location / {
-        return 301 https://${DOLLAR}server_name${DOLLAR}request_uri;
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
     }
 }
+
+# HTTP to HTTPS redirect configuration (COMMENTED OUT)
+#
+# IMPORTANT: HTTP to HTTPS redirects are intentionally commented out because:
+#
+# 1. Let's Encrypt Certificate Generation:
+#    - Let's Encrypt requires port 80 to be available for ACME HTTP-01 challenge
+#    - Domain validation fails if all HTTP traffic is redirected to HTTPS
+#    - Certificate generation scripts need HTTP access for domain verification
+#
+# 2. Certificate Renewal:
+#    - Automatic certificate renewal also requires port 80 for challenge validation
+#    - Redirects would break the renewal process, causing certificate expiration
+#
+# 3. Testing and Development:
+#    - Integration tests expect HTTP endpoints to work for validation
+#    - Mixed HTTP/HTTPS access needed for comprehensive endpoint testing
+#    - Self-signed certificate environments don't require strict HTTPS enforcement
+#
+# 4. Manual Enablement:
+#    - System administrators can manually enable these redirects after:
+#      a) Successful Let's Encrypt certificate installation
+#      b) Implementing alternative domain validation methods (DNS-01 challenge)
+#      c) Ensuring certificate renewal automation works with redirects
+#
+# To enable HTTP to HTTPS redirects (advanced users only):
+# 1. Uncomment the server blocks below
+# 2. Ensure Let's Encrypt renewal uses DNS-01 challenge or webroot exception
+# 3. Test certificate renewal before enabling in production
+# 4. Consider leaving .well-known/acme-challenge accessible via HTTP
+
+# server {
+#     listen 80;
+#     listen [::]:80;
+#     server_name tracker.${DOMAIN_NAME};
+# 
+#     # Allow Let's Encrypt ACME challenge (required even with redirects)
+#     location ~ /.well-known/acme-challenge {
+#         allow all;
+#         root /var/lib/torrust/certbot/webroot;
+#     }
+# 
+#     # Redirect all other HTTP traffic to HTTPS
+#     location / {
+#         return 301 https://${DOLLAR}server_name${DOLLAR}request_uri;
+#     }
+# }
+
+# server {
+#     listen 80;
+#     listen [::]:80;
+#     server_name grafana.${DOMAIN_NAME};
+# 
+#     # Allow Let's Encrypt ACME challenge (required even with redirects)
+#     location ~ /.well-known/acme-challenge {
+#         allow all;
+#         root /var/lib/torrust/certbot/webroot;
+#     }
+# 
+#     # Redirect all other HTTP traffic to HTTPS
+#     location / {
+#         return 301 https://${DOLLAR}server_name${DOLLAR}request_uri;
+#     }
+# }

infrastructure/scripts/deploy-app.sh

@@ -874,40 +874,81 @@ validate_deployment() {
     vm_exec "${vm_ip}" "
         echo '=== Testing Application Endpoints ==='
         
-        # Test global health check endpoint (through nginx proxy)
+        # Test HTTP health check endpoint (through nginx proxy)
+        echo 'Testing HTTP health check endpoint...'
         if curl -f -s http://localhost/health_check >/dev/null 2>&1; then
-            echo '✅ Global health check endpoint: OK'
+            echo '✅ HTTP health check endpoint: OK'
         else
-            echo '❌ Global health check endpoint: FAILED'
+            echo '❌ HTTP health check endpoint: FAILED'
             exit 1
         fi
         
-        # Test API stats endpoint (through nginx proxy, requires auth)
+        # Test HTTPS health check endpoint (through nginx proxy, with self-signed certificates)
+        echo 'Testing HTTPS health check endpoint...'
+        if curl -f -s -k https://localhost/health_check >/dev/null 2>&1; then
+            echo '✅ HTTPS health check endpoint: OK (self-signed certificate)'
+        else
+            echo '❌ HTTPS health check endpoint: FAILED'
+            # Don't exit on HTTPS failure in case certificates aren't ready yet
+            echo '⚠️  HTTPS may not be fully configured yet, continuing with HTTP tests'
+        fi
+        
+        # Test HTTP API stats endpoint (through nginx proxy, requires auth)
+        echo 'Testing HTTP API stats endpoint...'
         # Save response to temp file and get HTTP status code
         api_http_code=\$(curl -s -o /tmp/api_response.json -w '%{http_code}' \"http://localhost/api/v1/stats?token=MyAccessToken\" 2>&1 || echo \"000\")
         api_response_body=\$(cat /tmp/api_response.json 2>/dev/null || echo \"No response\")
         
         # Check if HTTP status is 200 (success)
         if [ \"\$api_http_code\" -eq 200 ] 2>/dev/null; then
-            echo '✅ API stats endpoint: OK'
+            echo '✅ HTTP API stats endpoint: OK'
         else
-            echo '❌ API stats endpoint: FAILED'
+            echo '❌ HTTP API stats endpoint: FAILED'
             echo \"  HTTP Code: \$api_http_code\"
             echo \"  Response: \$api_response_body\"
             rm -f /tmp/api_response.json
             exit 1
         fi
         rm -f /tmp/api_response.json
         
+        # Test HTTPS API stats endpoint (through nginx proxy, with self-signed certificates)
+        echo 'Testing HTTPS API stats endpoint...'
+        # Save response to temp file and get HTTP status code
+        api_https_code=\$(curl -s -k -o /tmp/api_response_https.json -w '%{http_code}' \"https://localhost/api/v1/stats?token=MyAccessToken\" 2>&1 || echo \"000\")
+        api_https_response=\$(cat /tmp/api_response_https.json 2>/dev/null || echo \"No response\")
+        
+        # Check if HTTPS status is 200 (success)
+        if [ \"\$api_https_code\" -eq 200 ] 2>/dev/null; then
+            echo '✅ HTTPS API stats endpoint: OK (self-signed certificate)'
+        else
+            echo '⚠️  HTTPS API stats endpoint: FAILED'
+            echo \"  HTTPS Code: \$api_https_code\"
+            echo \"  Response: \$api_https_response\"
+            # Don't exit on HTTPS failure in case certificates aren't ready yet
+            echo '⚠️  HTTPS may not be fully configured yet, continuing with HTTP validation'
+        fi
+        rm -f /tmp/api_response_https.json
+        
         # Test HTTP tracker endpoint (through nginx proxy - expects 404 for root)
+        echo 'Testing HTTP tracker endpoint...'
         if curl -s -w '%{http_code}' http://localhost/ -o /dev/null | grep -q '404'; then
             echo '✅ HTTP tracker endpoint: OK (nginx proxy responding, tracker ready for BitTorrent clients)'
         else
             echo '❌ HTTP tracker endpoint: FAILED'
             exit 1
         fi
         
-        echo '✅ All endpoints are responding'
+        # Test HTTPS tracker endpoint (through nginx proxy - expects 404 for root)
+        echo 'Testing HTTPS tracker endpoint...'
+        if curl -s -k -w '%{http_code}' https://localhost/ -o /dev/null | grep -q '404'; then
+            echo '✅ HTTPS tracker endpoint: OK (nginx proxy with SSL responding, tracker ready for secure BitTorrent clients)'
+        else
+            echo '⚠️  HTTPS tracker endpoint: FAILED'
+            # Don't exit on HTTPS failure in case certificates aren't ready yet
+            echo '⚠️  HTTPS may not be fully configured yet, HTTP tracker is working'
+        fi
+        
+        echo '✅ All critical endpoints are responding (HTTP validated, HTTPS optional)'
     " "Testing application endpoints"
 
     log_success "Deployment validation passed"
@@ -924,15 +965,21 @@ show_connection_info() {
     echo "SSH Access:      ssh torrust@${vm_ip}"
     echo
     echo "=== APPLICATION ENDPOINTS ==="
-    echo "Health Check:    http://${vm_ip}/health_check"                                   # DevSkim: ignore DS137138
-    echo "API Stats:       http://${vm_ip}/api/v1/stats?token=MyAccessToken" # DevSkim: ignore DS137138
-    echo "HTTP Tracker:    http://${vm_ip}/ (for BitTorrent clients)"                      # DevSkim: ignore DS137138
-    echo "UDP Tracker:     udp://${vm_ip}:6868, udp://${vm_ip}:6969"
-    echo "Grafana:         http://${vm_ip}:3100 (admin/admin)" # DevSkim: ignore DS137138
+    echo "HTTP Health Check:    http://${vm_ip}/health_check"                                   # DevSkim: ignore DS137138
+    echo "HTTP API Stats:       http://${vm_ip}/api/v1/stats?token=MyAccessToken" # DevSkim: ignore DS137138
+    echo "HTTP Tracker:         http://${vm_ip}/ (for BitTorrent clients)"                      # DevSkim: ignore DS137138
+    echo "UDP Tracker:          udp://${vm_ip}:6868, udp://${vm_ip}:6969"
+    echo "Grafana HTTP:         http://${vm_ip}:3100 (admin/admin)" # DevSkim: ignore DS137138
     echo
     echo "=== HTTPS ENDPOINTS (with self-signed certificates) ==="
-    echo "Tracker API:     https://tracker.test.local (add to /etc/hosts)"
-    echo "Grafana:         https://grafana.test.local (add to /etc/hosts)"
+    echo "HTTPS Health Check:   https://${vm_ip}/health_check (expect certificate warning)"     # DevSkim: ignore DS137138
+    echo "HTTPS API Stats:      https://${vm_ip}/api/v1/stats?token=MyAccessToken (expect certificate warning)" # DevSkim: ignore DS137138
+    echo "HTTPS Tracker:        https://${vm_ip}/ (expect certificate warning)"                 # DevSkim: ignore DS137138
+    echo "Grafana HTTPS:        https://${vm_ip}:3100 (expect certificate warning)" # DevSkim: ignore DS137138
+    echo
+    echo "=== DOMAIN-BASED HTTPS (add to /etc/hosts for testing) ==="
+    echo "Tracker API:          https://tracker.test.local (requires hosts entry)"
+    echo "Grafana:              https://grafana.test.local (requires hosts entry)"
     echo
     echo "=== SETUP FOR HTTPS TESTING ==="
     echo "Add these lines to your /etc/hosts file:"