C
Coder.com2mo ago
GR8B8

Setting up CA certificate for the container

Hey there! I'm hosting Coder on a Redhat VM that is already configured with it's certificate from our CA. However, I'm having a hard time trying to set it up on the container. After starting the workspace if I check the docker logs of the container I get 
curl -fsSL --compressed https://coder.ourdomain.com/bin/coder-linux-amd64 -o coder
curl: (60) SSL certificate problem: unable to get local issuer certificate
curl -fsSL --compressed https://coder.ourdomain.com/bin/coder-linux-amd64 -o coder
curl: (60) SSL certificate problem: unable to get local issuer certificate
I'm using the Docker Containers starter template and added the upload block on the docker_container resource to upload the certificate from the Coder machine to the container. 
upload {
  file   = "/usr/local/share/ca-certificates/cert.crt"
  source = "/srv/certificate.pem
}
upload {
  file   = "/usr/local/share/ca-certificates/cert.crt"
  source = "/srv/certificate.pem
}
This part is working fine, however it does not update the certificates automatically, leading to the error above. To fix this, on the Coder host I have to docker exec -it <container_id> bash and then run the sudo update-ca-certificates (without sudo fails). I tryed adding this entrypoint = ["sh", "-c", replace(...), "&&", "sudo update-ca-certificates"] to the entrypoint parameter of the docker_containers resource but it did not work. Is it possible to configure like this? Thanks in advance!
Solution:
Updating here in case it helps someone going through something similar, the "unable to get local issuer certificate" as the error itself suggests was a problem with how our intermediate certificate was generated. However, using a self-signed certificate to validate it still caused the "could not resolve hostname" error when trying to open Coder on VS Code Desktop extension. It was necessary, in addition to including the self-signed certificate in the trust store of our machine, which had already been done, to add the environment variable NODE_EXTRA_CA_CERTS on the machine pointing to the path of the certificate....
Jump to solution
9 Replies
Codercord
Codercord2mo ago
<#1352111189328396370>
Category
Help needed
Product
code-server
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys2mo ago
hey! you would likely want to do this change directly inside the Docker image rather than inside the entrypoint also, this entrypoint would not function for 2 reasons, one is that the && is not going to be supported inside the entrypoint itself, you'd have to add it to the script sh -c is running, and another thing is that you're running the update-ca-certificates command after the agent tries to fetch the binary this is a good example if you don't want to upload the cert manually https://discord.com/channels/747933592273027093/1283325328554721322/1283353522964008961 for your custom image, you can either build it somewhere (usually in CI) and upload it to a registry, which is the recommended way or you can build the Dockerfile directly from within the template, but be aware that this is very slow and will trigger unwanted behavior (e.g image not updating because it's cached, or an image rebuilding on its own) if configured improperly, and it's generally annoying to configure it properly
GR8B8
GR8B8OP2mo ago
Hi Phorcys, thanks for your time! I've been tied up with other demands and haven't had time to follow through on this today, but I'll definitely take a look at setting up the docker image. Also, thanks for providing me with an example!
Phorcys
Phorcys2mo ago
no worries, please ask any questions if you need help during the process
GR8B8
GR8B8OP4w ago
Hi Phorcys! Sorry for the late response, I managed to add the certificate bundle (coder -> intermediary ca -> ca root) from the host on the container image and as soon as I create a workspace everything seems to be running correctly. However, when I try to use the VS Code Desktop I get the following error: "Failed to open workspace. Message: unable to get local issuer certificate" Also, when I click on the Coder extension on VS Code I get the following error: "Failed to check user authentication: unable to get local issuer certificate" Tried looking here and searching for issues but could not find anything related. Could you please provide me with assistance on this error? Thanks in advance!
No description
No description
GR8B8
GR8B8OP4w ago
The ca-bundle.pem I'm using on both the CODER_TLS_CERT_FILE and on the /usr/local/share/ca-certificates on the container image is in the following format: -----BEGIN CERTIFICATE----- coder cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- our intermediary ca -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- our root ca -----END CERTIFICATE----- It looks like a problem with our certificate bundle as the error "unable to get local issuer certificate" suggests. When I change our intermediary certificate for another one this error stops but some people gets a "could not resolve host name --user-workspace-name" error when VS Code opens after pressing the VS Code on Desktop button.
Solution
GR8B8
GR8B84w ago
Updating here in case it helps someone going through something similar, the "unable to get local issuer certificate" as the error itself suggests was a problem with how our intermediate certificate was generated. However, using a self-signed certificate to validate it still caused the "could not resolve hostname" error when trying to open Coder on VS Code Desktop extension. It was necessary, in addition to including the self-signed certificate in the trust store of our machine, which had already been done, to add the environment variable NODE_EXTRA_CA_CERTS on the machine pointing to the path of the certificate.
Phorcys
Phorcys3w ago
thank you for the follow-up, this makes sense as the whole chain has to be trusted sorry for the delayed reply, we were at KubeCon EU for the full week closing this as you've found a solution :-)
Codercord
Codercord3w ago
@Phorcys closed the thread.

Did you find this page helpful?