src/node/util.ts: Make certificate generation "modern"

nhooyr · nhooyr · commit 6f5d4924d30d · 2020-10-30T05:54:49.000-04:00
Now we add a subject alt name, set extendedKeyUsage and use the correct certificate extension. The above allow it to be properly trusted by iOS. See https://support.apple.com/en-us/HT210176 *.cert isn't a real extension for certificates, *.crt is correct for it to be recognized by e.g. keychain or when importing as a profile into iOS. Updates #1566 I've been able to successfully connect from my iPad Pro now to my code-server instance with a self signed certificate! Next commit will be docs.
diff --git a/doc/FAQ.md b/doc/FAQ.md
@@ -145,7 +145,7 @@ pass in an existing certificate by providing the path to `--cert` and the path t
 the key with `--cert-key`.
 
 The self signed certificate will be generated into
-`~/.local/share/code-server/self-signed.cert`.
+`~/.local/share/code-server/self-signed.crt`.
 
 If `code-server` has been passed a certificate it will also respond to HTTPS
 requests and will redirect all HTTP requests to HTTPS.
diff --git a/src/node/util.ts b/src/node/util.ts
@@ -55,7 +55,7 @@ export function humanPath(p?: string): string {
 }
 
 export const generateCertificate = async (): Promise<{ cert: string; certKey: string }> => {
-  const certPath = path.join(paths.data, "self-signed.cert")
+  const certPath = path.join(paths.data, "self-signed.crt")
   const certKeyPath = path.join(paths.data, "self-signed.key")
 
   const checks = await Promise.all([fs.pathExists(certPath), fs.pathExists(certKeyPath)])
@@ -64,9 +64,25 @@ export const generateCertificate = async (): Promise<{ cert: string; certKey: st
     // generate certificates.
     const pem = require("pem") as typeof import("pem")
     const certs = await new Promise<import("pem").CertificateCreationResult>((resolve, reject): void => {
-      pem.createCertificate({ selfSigned: true }, (error, result) => {
-        return error ? reject(error) : resolve(result)
-      })
+      pem.createCertificate(
+        {
+          selfSigned: true,
+          config: `
+[req]
+req_extensions = v3_req
+
+[ v3_req ]
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+`,
+        },
+        (error, result) => {
+          return error ? reject(error) : resolve(result)
+        },
+      )
     })
     await fs.mkdirp(tmpdir)
     await Promise.all([fs.writeFile(certPath, certs.certificate), fs.writeFile(certKeyPath, certs.serviceKey)])
