Setting up CA certificate for the container
Hey there!
I'm hosting Coder on a Redhat VM that is already configured with it's certificate from our CA. However, I'm having a hard time trying to set it up on the container.
After starting the workspace if I check the
docker logs of the container I get
I'm using the Docker Containers starter template and added the upload block on the docker_container resource to upload the certificate from the Coder machine to the container.
This part is working fine, however it does not update the certificates automatically, leading to the error above. To fix this, on the Coder host I have to docker exec -it <container_id> bash and then run the sudo update-ca-certificates (without sudo fails).
I tryed adding this entrypoint = ["sh", "-c", replace(...), "&&", "sudo update-ca-certificates"] to the entrypoint parameter of the docker_containers resource but it did not work.
Is it possible to configure like this? Thanks in advance!6 Replies
<#1352111189328396370>
Category
Help needed
Product
code-server
Platform
Linux
Logs
Please post any relevant logs/error messages.
hey!
you would likely want to do this change directly inside the Docker image rather than inside the entrypoint
also, this entrypoint would not function for 2 reasons, one is that the
&& is not going to be supported inside the entrypoint itself, you'd have to add it to the script sh -c is running, and another thing is that you're running the update-ca-certificates command after the agent tries to fetch the binary
this is a good example if you don't want to upload the cert manually
https://discord.com/channels/747933592273027093/1283325328554721322/1283353522964008961
for your custom image, you can either build it somewhere (usually in CI) and upload it to a registry, which is the recommended way
or you can build the Dockerfile directly from within the template, but be aware that this is very slow and will trigger unwanted behavior (e.g image not updating because it's cached, or an image rebuilding on its own) if configured improperly, and it's generally annoying to configure it properlyHi Phorcys, thanks for your time! I've been tied up with other demands and haven't had time to follow through on this today, but I'll definitely take a look at setting up the docker image. Also, thanks for providing me with an example!
no worries, please ask any questions if you need help during the process
Hi Phorcys! Sorry for the late response, I managed to add the certificate bundle (coder -> intermediary ca -> ca root) from the host on the container image and as soon as I create a workspace everything seems to be running correctly.
However, when I try to use the VS Code Desktop I get the following error: "Failed to open workspace. Message: unable to get local issuer certificate"
Also, when I click on the Coder extension on VS Code I get the following error: "Failed to check user authentication: unable to get local issuer certificate"
Tried looking here and searching for issues but could not find anything related. Could you please provide me with assistance on this error? Thanks in advance!
The ca-bundle.pem I'm using on both the CODER_TLS_CERT_FILE and on the /usr/local/share/ca-certificates on the container image is in the following format:
-----BEGIN CERTIFICATE-----
coder cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
our intermediary ca
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
our root ca
-----END CERTIFICATE-----
It looks like a problem with our certificate bundle as the error "unable to get local issuer certificate" suggests. When I change our intermediary certificate for another one this error stops but some people gets a "could not resolve host name --user-workspace-name" error when VS Code opens after pressing the VS Code on Desktop button.