EWS01: websocket dial: failed to WebSocket dial: failed to send handshake request
I'm having this error. I already setup self signed certificate, cluster issuer and using below values. But still having the issue. Using k3s, it able to create pods but sockets are having trouble due to tls.
EWS01: websocket dial: failed to WebSocket dial: failed to send handshake request: Get "https://coder.lab.dttdata.com/api/v2/debug/ws": tls: failed to verify certificate: x509: certificate is valid for dc5503177ca435d680300ed475c2fda7.162e42cad00d0384ec662ce16b45b7d9.traefik.default, not coder.lab.dttdata.com
62 Replies
<#1363464782174490685>
Category
Help needed
Product
Coder (v2)
Platform
N/A
Logs
Please post any relevant logs/error messages.
What operating system are you running Coder (v2) on?
hi!
the issue you're running into is because you do not have a valid certificate for this host
have you defined a
coder-tls-secret resource?yes
how did you define it?
okay so, is this the most up-to-date error message?
yes
one weird thing, when i did the setup i see cert is updated but now seeing it got tearific's one
the
certificate is valid for dc5503177ca435d680300ed475c2fda7.162e42cad00d0384ec662ce16b45b7d9.traefik.default means that the traefik ingress controller's default certificate is in use and not the one you've setyou'll need to add
*.coder.lab.dttdata.com to the dnsNamesits already there
no
but somehow looks overriding?
like this
are you sure that you've applied the helm chart with these values? they look to be okay from my standpoint
though keep in mind that even if it uses the proper certificate it won't be trusted as it's a self-signed certificate, so health checks won't work and the agent won't be able to connect unless you use a valid cert
yes i did, let me update again so
Yea i trusted manuelly in my device but not sure if i need to do smth in pods
any reason you can't use valid certificates from let's encrypt/zerossl?
you do, but it's a hassle
No need to add more complexity 😄 yea i can i have domain and could via cloudflare
cert-manager will emit certificates and resolve dns challenges via the Cloudflare API
hmmm.. this could be reason
it most definitely is, but it's also that your ingress controller seems to be ignoring the certificate anyways
here's an example
you don't need to use sealed secrets though
First i want to solve why it mangle certificates and not use what i said
before i was uusing
then switched according to https://coder.com/docs/admin/setup#tls--reverse-proxy
check if your certificate was issued successfully
kubectl describe certificate coder-cert
it'll default to use the ingress controller's invalid cert until the cert is actually issued properlyit is
what if you do
not sure if that'd change anything though
I just did and applied
yeah no it shouldn't because the secret exists
with
quote required
I would revert old style, tls inside ingress not in same level. I suspect that
It fixed that issue. IDK why doc says wrong config.. https://coder.com/docs/admin/setup#tls--reverse-proxy helm tls value for ingress look not correct. Correct one is this
Okay now still having same issue.
So the plan is use cloudflare right? Couldnt be anything else? @Phorcys
kubernates should smart enough to propagate self signed one to trust any other pods
now having another issue.
I just added both tls under coder helm values, also under ingress (thought why not both :D)
I prefer to find way to trust my self authority instead going cloudflare way
okay CODER_TLS_ALLOW_INSECURE_CIPHERS didnt to the thing. I should fix instead skip or go alternatives
Tataaaa
quotefrom some ai channel: AI never sleeps 😄
Here it is incase someone also need
More errors more pains 😄 Idk solving things make me feel good i guess. 😄
it's valid
coder.tls means the TLS termination that Coder will serve, and ingress.tls is what the ingress serves
i should've noticed it but it would've been correcti f there was no ingress in front of coder
no need to move it somewhere else as it makes it harder to follow what's going onyea noticed having both are unnecessary. the think fixed is putting cert
but having other issues hope you have time to check it
are you still using self signed certs?
looks u remeved those messages
yes usıng and works good
you have to edit your template's image to trust those certs
at least dont see errors anymore, handshakes are good
is there really no way for you to use valid certificates? it will solve this issue
self signed is not great
putting cert is fixed. And having other kind issues now
but you looks removed those chats, i searched old messages and put mine in related one
i know, but the issue you're having is that the workspace cannot connect to your Coder instance because it doesn't trust the certs
i only closed the other threads but I saw your messages
this happens because of the invalid certs
soo,
this also not enough?
no
it made dissappeard those errors
yes, but it's different
the Kubernetes template spawns a pod and runs the Coder agent install script
the agent install script fetches the Coder agent from your Coder deployment and then tries to connect to that deployment
hmm okay then looking on it if there are no easy option for those
your workspace's pod does not trust the certificate either
so you can either install valid certs, which is the best option
or you can edit the image that the pod is running to allow your self signed cert, but that is quite a hassle
for reference here's a thread about this -> https://discord.com/channels/747933592273027093/1352111189328396370
the easy option is to configure your cert-manager with cloudflare
okay thank you will go with that. Looks no easy twig there, i was thinking if anything main.tf there make this work
After using https://github.com/cloudflare/origin-ca-issuer and succesfully creating it weirdly it do not get the domains right.
GitHub
GitHub - cloudflare/origin-ca-issuer: cert-manager issuer for Origi...
cert-manager issuer for Origin CA. Contribute to cloudflare/origin-ca-issuer development by creating an account on GitHub.
also added annotations but nothing changed
any tip @Phorcys
Arent there other coder related good hearted people other than you 😄
btw i think propageting trusted cert into other pods is a bug more than a feature request
there are, but i'm usually the only one around here on week-ends
and today is easter so there's less people around
have you tried with this instead?
this is related to the origin CA, i think it's a different thing
ah i see, happy easter.
Hmm yea those terms.. need to learn.. i'll go and use acme dns instead origin ca. I thought could be better to use somekind pluging
everyday learning new thing and never end 😄 today was doing watch?v=FijNKp3Zdus Disassembly easy but had some hard time while Assembly part
works good but didnt get why i dont green certificate
and in helm values
okay all works good. I thought
was enough. Spesified sub domain
great, can we close the issue now?
Sure, thank you for all helps
glad you got it figured out!
feel free to ask any other questions :-)
@Phorcys closed the thread.