Skip to content

Fix ERR_TLS_CERT_ALTNAME_INVALID when using Next.js handler with Bun #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
martiinii wants to merge 1 commit into from
Closed

Fix ERR_TLS_CERT_ALTNAME_INVALID when using Next.js handler with Bun #148

martiinii wants to merge 1 commit into from

Conversation

@martiinii
Copy link

@martiinii martiinii commented Nov 3, 2025

Fixes ERR_TLS_CERT_ALTNAME_INVALID when using Next.js with Bun.

When running Next.js under Bun, proxying via a catch-all route failed with ERR_TLS_CERT_ALTNAME_INVALID. Bun's TLS validation is stricter than Node's and will reject requests when the Host header does not match the target URL's hostname.

Root cause:
Our proxy forwarded the original request headers including host: localhost:3000 (from local dev server) to the upstream Convex URL. This mismatched host header triggered Bun's TLS altname check.

Example of forwarded headers prior to this change (from a local dev server):

{
    host: "localhost:3000",
    "user-agent":
        "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
    accept: "*/*",
    "accept-language": "en-US,en;q=0.5",
    "accept-encoding": "gzip, deflate, br, zstd",
    referer: "http://localhost:3000/auth/login",
    connection: "keep-alive",
    cookie: "xxx",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-gpc": "1",
    "sec-fetch-site": "same-origin",
    priority: "u=4",
    "x-forwarded-host": "localhost:3000",
    "x-forwarded-port": "3000",
    "x-forwarded-proto": "http",
    "x-forwarded-for": "::ffff:127.0.0.1",
}

This PR addresses this issue and removes host header before forwarding to Convex and lets fetch set the correct host based on the Convex URL.

Notes:
Other hop-by-hop headers could also be stripped but they have correct values for forwarded requests. They do not cause any issues though.

Links:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@paschaldev
Copy link

paschaldev commented Nov 13, 2025

Thank you for patching. Just hit this error @martiinii

paschaldev
paschaldev suggested changes Nov 13, 2025
View reviewed changes
@erquhart
Copy link
Collaborator

erquhart commented Dec 23, 2025

@martiinii we now set the host header using the Convex site URL, that should take care of this.

@martiinii
Copy link
Author

martiinii commented Dec 23, 2025

@martiinii we now set the host header using the Convex site URL, that should take care of this.

Thanks for the update!
Looking at the commits it LGTM, I forgot to include those changes for TanStack

@martiinii martiinii closed this Dec 23, 2025
@martiinii martiinii deleted the fix/bun-tls-cert branch December 23, 2025 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@paschaldev paschaldev paschaldev requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martiinii @paschaldev @erquhart