C
Coder.com3y ago
sterling

Coder OSS - code-server certificate issue

Hi all, I've been stumped on this so I'm hoping maybe someone here has seen this before and has any ideas for how to approach solving this. The goal is to host code-server as a Coder workspace. When I try to open the code-server web view, I see the attached screen. It says "code-server is offline! x509: certificate signed by unknown authority." Here are some configuration details: I'm running Coder OSS on RHEL 8 using Docker Compose. The docker-compose.yaml for the Coder service has the following changes: 
    ports:
      - "443:443"
    environment:
      CODER_ADDRESS: "0.0.0.0:443"
      CODER_ACCESS_URL: "https://coder.mydomain.tld"
      CODER_TLS_ENABLE: true
      CODER_TLS_CERT_FILE: "/home/coder/cert/coder.mydomain.tld.cer"
      CODER_TLS_KEY_FILE: "/home/coder/cert/service.key"
    ports:
      - "443:443"
    environment:
      CODER_ADDRESS: "0.0.0.0:443"
      CODER_ACCESS_URL: "https://coder.mydomain.tld"
      CODER_TLS_ENABLE: true
      CODER_TLS_CERT_FILE: "/home/coder/cert/coder.mydomain.tld.cer"
      CODER_TLS_KEY_FILE: "/home/coder/cert/service.key"
coder.mydomain.tld.cer is a web server certificate chain signed by my domain controller CA. Accessing https://coder.mydomain.tld works on my devices (both via browser & cli) and the cert chain seems to be configured correctly. The docker host has had the domain CAs added to the trusted ca store. I've set up code-server using the docker-code-server template. To get it to work, I made some modifications to the template's main.tf in order to run a script that fetches the certs and adds them to the container's trusted store before downloading the coder agent (this was required to allow curl to securely fetch the agent from the coder service). The code-server container logs show the following error: 
2022-08-31 20:37:55.284 [DEBUG] <./peer/channel.go:277> (*Channel).closeWithError       datachannel closing with error  {"id": 3, "label": "tcp://coder.mydomain.tld:443"} ...
  "error": connection was closed:
               github.com/coder/coder/peer.init
                   /home/runner/work/coder/coder/peer/conn.go:28
             - EOF
2022-08-31 20:37:55.284 [DEBUG] <./peer/channel.go:277> (*Channel).closeWithError       datachannel closing with error  {"id": 3, "label": "tcp://coder.mydomain.tld:443"} ...
  "error": connection was closed:
               github.com/coder/coder/peer.init
                   /home/runner/work/coder/coder/peer/conn.go:28
             - EOF
Some research into this specific error led me to discover that Go looks for trusted authorities in a directory that is machine specific. I've added the binary (*.crt) certs to that folder on the code-server container, but I'm still getting this error. If anyone has any thoughts, I'd greatly appreciate it!
No description
8 Replies
kyle
kyle3y ago
Humph, how is your coder_app set up in your template?
sterling
sterlingOP3y ago
Is this what you mean? 
resource "coder_agent" "main" {
  arch           = data.coder_provisioner.me.arch
  os             = "linux"
  startup_script = "code-server -vvv --auth none --bind-addr 0.0.0.0:443 --cert /home/coder/cert/coder.mydomain.tld.crt --cert-key /home/coder/cert/service.key"

  # These environment variables allow you to make Git commits right away after creating a
  # workspace. Note that they take precedence over configuration defined in ~/.gitconfig!
  # You can remove this block if you'd prefer to configure Git manually or using
  # dotfiles. (see docs/dotfiles.md)
  env = {
    GIT_AUTHOR_NAME     = "${data.coder_workspace.me.owner}"
    GIT_COMMITTER_NAME  = "${data.coder_workspace.me.owner}"
    GIT_AUTHOR_EMAIL    = "${data.coder_workspace.me.owner_email}"
    GIT_COMMITTER_EMAIL = "${data.coder_workspace.me.owner_email}"
  }
}

resource "coder_app" "code-server" {
  agent_id = coder_agent.main.id
  url      = "https://coder.mydomain.tld:443/?folder=/home/coder"
  icon     = "/icon/code.svg"
}
resource "coder_agent" "main" {
  arch           = data.coder_provisioner.me.arch
  os             = "linux"
  startup_script = "code-server -vvv --auth none --bind-addr 0.0.0.0:443 --cert /home/coder/cert/coder.mydomain.tld.crt --cert-key /home/coder/cert/service.key"

  # These environment variables allow you to make Git commits right away after creating a
  # workspace. Note that they take precedence over configuration defined in ~/.gitconfig!
  # You can remove this block if you'd prefer to configure Git manually or using
  # dotfiles. (see docs/dotfiles.md)
  env = {
    GIT_AUTHOR_NAME     = "${data.coder_workspace.me.owner}"
    GIT_COMMITTER_NAME  = "${data.coder_workspace.me.owner}"
    GIT_AUTHOR_EMAIL    = "${data.coder_workspace.me.owner_email}"
    GIT_COMMITTER_EMAIL = "${data.coder_workspace.me.owner_email}"
  }
}

resource "coder_app" "code-server" {
  agent_id = coder_agent.main.id
  url      = "https://coder.mydomain.tld:443/?folder=/home/coder"
  icon     = "/icon/code.svg"
}
~from docker-code-server/main.tf
Phorcys
Phorcys3y ago
this is wrong do not bind to https this should work 
resource "coder_agent" "main" {
  arch           = data.coder_provisioner.me.arch
  os             = "linux"
  startup_script = "code-server -vvv --auth none --bind-addr 0.0.0.0:8080

  # These environment variables allow you to make Git commits right away after creating a
  # workspace. Note that they take precedence over configuration defined in ~/.gitconfig!
  # You can remove this block if you'd prefer to configure Git manually or using
  # dotfiles. (see docs/dotfiles.md)
  env = {
    GIT_AUTHOR_NAME     = "${data.coder_workspace.me.owner}"
    GIT_COMMITTER_NAME  = "${data.coder_workspace.me.owner}"
    GIT_AUTHOR_EMAIL    = "${data.coder_workspace.me.owner_email}"
    GIT_COMMITTER_EMAIL = "${data.coder_workspace.me.owner_email}"
  }
}

resource "coder_app" "code-server" {
  agent_id = coder_agent.main.id
  url      = "http://127.0.0.1:8080/?folder=/home/coder" # url is from within the workspace
  icon     = "/icon/code.svg"
}
resource "coder_agent" "main" {
  arch           = data.coder_provisioner.me.arch
  os             = "linux"
  startup_script = "code-server -vvv --auth none --bind-addr 0.0.0.0:8080

  # These environment variables allow you to make Git commits right away after creating a
  # workspace. Note that they take precedence over configuration defined in ~/.gitconfig!
  # You can remove this block if you'd prefer to configure Git manually or using
  # dotfiles. (see docs/dotfiles.md)
  env = {
    GIT_AUTHOR_NAME     = "${data.coder_workspace.me.owner}"
    GIT_COMMITTER_NAME  = "${data.coder_workspace.me.owner}"
    GIT_AUTHOR_EMAIL    = "${data.coder_workspace.me.owner_email}"
    GIT_COMMITTER_EMAIL = "${data.coder_workspace.me.owner_email}"
  }
}

resource "coder_app" "code-server" {
  agent_id = coder_agent.main.id
  url      = "http://127.0.0.1:8080/?folder=/home/coder" # url is from within the workspace
  icon     = "/icon/code.svg"
}
the coder agent runs inside your workspace and it relays the coder_apps from the inside of the workspace to the coder server basically coder agent (workspace) <-> coder <-> user (https)
sterling
sterlingOP3y ago
thanks for the help! I'm still trying to understand the architecture here, but that makes sense. let me give that a try.
Phorcys
Phorcys3y ago
so it's mad at you because the cert is not in the trust store I assume
sterling
sterlingOP3y ago
ugh, so it looks like the issue is that I was trying to bind to https when coder service was expecting the reach-back on 8080? anyway, with the patch I made to update the trusted root store it works!! thanks a ton for your help! truly, this is a brilliant platform. I've really enjoyed diving in. thanks to all the great work from the coder team, and for the correction @Phorcys
Phorcys
Phorcys3y ago
nah, I modified your template well, I personally use http but https works too if you have future issues, you can resolve the issues by using /resolve marking this as resolved
sterling
sterlingOP3y ago
Thanks, was wondering how to do that
Want results from more Discord servers?
Add your server