C
Coder.com7mo ago
correctamundo

Internal error exchanging Oauth code

Hello, I'm running coder on premises using docker-compose. After having set up the external-auth using gitlab on prem, this is what I'm facing: 1. coder workspace terminal shows a link to request the oauth in gitlab ✓ 2. When visitting the url I land into gitlab to authorize the gitlab application to use my account ✓ 3. After clicking on authorize it redirects me to coder with the message: tls: failed to verify certificate: x509: certificate signed by unknown authority ❌ What I'm not sure is where the issue resides, my intuition tells me that coder doesn't know the custom ca-cert that signed Gitlab instance ssl cert (although this is configured on the docker engine where the coder container is running on). Do you have any idea how can I add the custom ca cert into coder container?
8 Replies
Codercord
Codercord7mo ago
<#1227914902069579776>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
correctamundo
correctamundo7mo ago
Ok, I've got it working, I've hadd to change a few things on the docker-compose.yaml file: 
  coder:
    image: ghcr.io/coder/coder:${CODER_VERSION:-latest}
**    user: root**
    ports:
      - "7080:7080"
**    entrypoint: [""]**
**    command: bash -c "apk --no-cache add ca-certificates && update-ca-certificates && /opt/coder server"**
  coder:
    image: ghcr.io/coder/coder:${CODER_VERSION:-latest}
**    user: root**
    ports:
      - "7080:7080"
**    entrypoint: [""]**
**    command: bash -c "apk --no-cache add ca-certificates && update-ca-certificates && /opt/coder server"**
And mounted the custom ca cert on the container folder /usr/local/share/ca-certificates/custom-ca.crt If anyone has a cleaner way to do this please let me know. I've also tried setting the CODER_TLS_CLIENT_CA_FILE variable with the custom ca crt path but didn't work
Cian
Cian7mo ago
Might be cleaner to build a new image that includes the certs, something like this? 
FROM ghcr.io/coder/coder:${CODER_VERSION:-latest}
RUN apk --no-cache add ca-certificates
ADD ./certs/custom-ca.crt /usr/local/share/ca-certificates/custom-ca.crt
RUN update-ca-certificates 
FROM ghcr.io/coder/coder:${CODER_VERSION:-latest}
RUN apk --no-cache add ca-certificates
ADD ./certs/custom-ca.crt /usr/local/share/ca-certificates/custom-ca.crt
RUN update-ca-certificates
dakeyras
dakeyras7mo ago
Hello can you try to add a volume bin in your docker-compose file volumes: ... - ./volumes/ssl/cert.pem://etc/ssl/certs/internal-pki.pem
correctamundo
correctamundo7mo ago
I've added the volume on a clean docker-compose file (without my fix) and unfortunately it doesn't work. I guess the update-ca-certificates command is missing Hi, yes, thanks for the suggestion, this indeed sprang to mind. I've tried to do it without having to run the update-ca-certificates and no luck !
Cian
Cian7mo ago
Yes, most distros have an equivalent command that generates a CA bundle. Without running that, you won't have much luck with adding custom certs.
dakeyras
dakeyras7mo ago
strange we have a coder platform with an autosigned cert and with this bind mount only health tab are OK we have set also CODER_TLS_CLIENT_CA_FILE
correctamundo
correctamundo7mo ago
Indeed, I've tested setting the variable CODER_TLS_CLIENT_CA_FILE=/etc/ssl/certs/internal-pki.pem and then on docker-compose: 
volumes:
...
      - path_to_cert_in_host/cert.pem:${CODER_TLS_CLIENT_CA_FILE}
volumes:
...
      - path_to_cert_in_host/cert.pem:${CODER_TLS_CLIENT_CA_FILE}
Want results from more Discord servers?
Add your server