LetsEncrypt SSL certificate

How to use a LetsEncrypt SSL certificate with local coder deployment?
15 Replies
Phorcys
Phorcys3y ago
not possible except if you have a domain that's accessible from the outside and that would be in caddy (for the record: atif uses Caddy)
sharkymark
sharkymark3y ago
Just checking, are you using Coder OSS or v1?
Atif
AtifOP3y ago
Coder OSS
Atif
AtifOP3y ago
I configured a LetsEncrypt certificate with Cockpit that is also a local deployment. https://github.com/cockpit-project/cockpit/wiki/Cockpit-with-LetsEncrypt
GitHub
Cockpit with LetsEncrypt · cockpit-project/cockpit Wiki
Cockpit is a web-based graphical interface for servers. - Cockpit with LetsEncrypt · cockpit-project/cockpit Wiki
Atif
AtifOP3y ago
Why something similar not possible with Coder? I can access cockpit dashboard now from all of devices without requiring to install any certificate in system or browser.
maf
maf3y ago
If you're using certbot to get the certificates, I don't see why the coder server TLS flags (--tls-*) wouldn't work? I haven't tried setting up TLS myself though, so there could be a LetsEncrypt incompatibility I don't know about. Something like: coder server --tls-enable --tls-cert-file /etc/letsencrypt/live/$DOMAIN/fullchain.pem --tls-key-file /etc/letsencrypt/live/$DOMAIN/privkey.pem ?
simonfalke
simonfalke3y ago
To get an SSL cert and use https I am using an nginx reverse proxy
Atif
AtifOP3y ago
I am running coder as a service and not using coder server command
maf
maf3y ago
You can use the environment variables instead, see coder server --help
Atif
AtifOP3y ago
DOMAIN=coder.mydoman.com

# Run "coder server --help" for flag information.
CODER_ACCESS_URL=http://coder.mydoman.com:3000
CODER_ADDRESS=0.0.0.0:3000
CODER_PG_CONNECTION_URL=
CODER_TLS_CERT_FILE=/etc/letsencrypt/live/$DOMAIN/fullchain.pem
CODER_TLS_ENABLE=1
CODER_TLS_KEY_FILE=/etc/letsencrypt/live/$DOMAIN/privkey.pem
# Generate a unique *.try.coder.app access URL
CODER_TUNNEL=false
DOMAIN=coder.mydoman.com

# Run "coder server --help" for flag information.
CODER_ACCESS_URL=http://coder.mydoman.com:3000
CODER_ADDRESS=0.0.0.0:3000
CODER_PG_CONNECTION_URL=
CODER_TLS_CERT_FILE=/etc/letsencrypt/live/$DOMAIN/fullchain.pem
CODER_TLS_ENABLE=1
CODER_TLS_KEY_FILE=/etc/letsencrypt/live/$DOMAIN/privkey.pem
# Generate a unique *.try.coder.app access URL
CODER_TUNNEL=false
If i do this the coder service fails to start with following error.
Aug 25 12:14:41 CTAR-ML coder[1174500]: Stopping built-in PostgreSQL...
Aug 25 12:14:41 CTAR-ML coder[1174500]: Stopped built-in PostgreSQL
Aug 25 12:14:41 CTAR-ML coder[1174500]: configure tls: read file "/etc/letsencrypt/live/$DOMAIN/fullchain.pem": open /etc/letsencrypt/live/$DOMAIN/fullchain.pem: permission denied
Aug 25 12:14:41 CTAR-ML coder[1174500]: Run 'coder server --help' for usage.
Aug 25 12:14:41 CTAR-ML systemd[1]: coder.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit coder.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Aug 25 12:14:41 CTAR-ML systemd[1]: coder.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit coder.service has entered the 'failed' state with result 'exit-code'.
Aug 25 12:14:41 CTAR-ML systemd[1]: Failed to start "Coder - Self-hosted developer workspaces on your infra".
░░ Subject: A start job for unit coder.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
Aug 25 12:14:41 CTAR-ML coder[1174500]: Stopping built-in PostgreSQL...
Aug 25 12:14:41 CTAR-ML coder[1174500]: Stopped built-in PostgreSQL
Aug 25 12:14:41 CTAR-ML coder[1174500]: configure tls: read file "/etc/letsencrypt/live/$DOMAIN/fullchain.pem": open /etc/letsencrypt/live/$DOMAIN/fullchain.pem: permission denied
Aug 25 12:14:41 CTAR-ML coder[1174500]: Run 'coder server --help' for usage.
Aug 25 12:14:41 CTAR-ML systemd[1]: coder.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit coder.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Aug 25 12:14:41 CTAR-ML systemd[1]: coder.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit coder.service has entered the 'failed' state with result 'exit-code'.
Aug 25 12:14:41 CTAR-ML systemd[1]: Failed to start "Coder - Self-hosted developer workspaces on your infra".
░░ Subject: A start job for unit coder.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
I think it is because of permission. What permission should I set ? Current permission are,
ctar@CTAR-ML:~$ sudo ls -l /etc/letsencrypt/live/ctar-ml.eee.bilkent.edu.tr/
total 4
lrwxrwxrwx 1 root root 50 Aug 19 19:02 cert.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/cert1.pem
lrwxrwxrwx 1 root root 51 Aug 19 19:02 chain.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/chain1.pem
lrwxrwxrwx 1 root root 55 Aug 19 19:02 fullchain.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/fullchain1.pem
lrwxrwxrwx 1 root root 53 Aug 19 19:02 privkey.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/privkey1.pem
-rw-r--r-- 1 root root 692 Aug 19 19:02 README
ctar@CTAR-ML:~$ sudo ls -l /etc/letsencrypt/archive/ctar-ml.eee.bilkent.edu.tr/
total 20
-rw-r--r-- 1 root root 1870 Aug 19 19:02 cert1.pem
-rw-r--r-- 1 root root 3749 Aug 19 19:02 chain1.pem
-rw-r--r-- 1 root root 5619 Aug 19 19:02 fullchain1.pem
-rw------- 1 root root 1704 Aug 19 19:02 privkey1.pem
ctar@CTAR-ML:~$ sudo ls -l /etc/letsencrypt/live/ctar-ml.eee.bilkent.edu.tr/
total 4
lrwxrwxrwx 1 root root 50 Aug 19 19:02 cert.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/cert1.pem
lrwxrwxrwx 1 root root 51 Aug 19 19:02 chain.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/chain1.pem
lrwxrwxrwx 1 root root 55 Aug 19 19:02 fullchain.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/fullchain1.pem
lrwxrwxrwx 1 root root 53 Aug 19 19:02 privkey.pem -> ../../archive/ctar-ml.eee.bilkent.edu.tr/privkey1.pem
-rw-r--r-- 1 root root 692 Aug 19 19:02 README
ctar@CTAR-ML:~$ sudo ls -l /etc/letsencrypt/archive/ctar-ml.eee.bilkent.edu.tr/
total 20
-rw-r--r-- 1 root root 1870 Aug 19 19:02 cert1.pem
-rw-r--r-- 1 root root 3749 Aug 19 19:02 chain1.pem
-rw-r--r-- 1 root root 5619 Aug 19 19:02 fullchain1.pem
-rw------- 1 root root 1704 Aug 19 19:02 privkey1.pem
maf
maf3y ago
What user are you running Coder as? You would ideally try to figure out how to give the Coder user permission to those files, without exposing them to risk of being inspected by other users on the system (for security). For instance you could create a cert group on your system (if there isn't one), grant the coder user that group, and then make sure all files have the group (chgrp -R cert /path/to/certs) and make them group readable (chmod -R g+r /path/to/certs). If you don't care about security and just want to yolo get it to work. chmod -R 0777 /etc/letsencrypt.
Atif
AtifOP3y ago
Thanks. It worked. 🙂 I disabled caddy and gave path of certificate and key in /etc/coder.d/coder.env but changing the permissions is a work around. A CLI flag or ENV variable in config that allows using the certificates from certbot automatically,
maf
maf3y ago
I wouldn't say it's a work-around. It's just a simple fact that coder needs permissions to read the certificates, it's the users responsibility to make sure that is the case (either by running coder as root, as a user with cert permissions, or changing cert permissions). There's nothing we can improve in that with a CLI/env flag. But supporting LetsEncrypt one way or another inside coder server is something we may or may not consider in the future. It should be relatively easy e.g. via the autocert package: https://pkg.go.dev/golang.org/x/crypto/acme/autocert. Perhaps documentation improvements on how to use certbot together with coder server could be considered as well. If there's no open issue about this on the GitHub tracker, feel free to file one.
Phorcys
Phorcys3y ago
@Atif if you make an issue could you send it in this channel for reference ?
Atif
AtifOP3y ago
yes I will link that issue here. I have not created 1 yet

Did you find this page helpful?