[Bug]: Webview error

[gogobd]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Brave
• Local OS: MacOS Monterey 12.4
• Remote OS: MacOS Monterey 12.4
• Remote Architecture: platform=linux/amd64
• code-server --version: /root/.local/lib/code-server-4.5.0/lib/vscode/bin/remote-cli/code-server: 12: /root/.local/lib/code-server-4.5.0/lib/vscode/node: not found

Steps to Reproduce

1. Open code server in Brave Browser
2. Log in
3. Read the error message

Expected

Code server should run with all features enabled

Actual

All sorts of random problems, including broken Image display

Logs

Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/') with script ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/service-worker.js?v=4&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&remoteAuthority=localhost:8080'): An SSL certificate error occurred when fetching the script..

Screenshot/Video

No response

Does this issue happen in VS Code or GitHub Codespaces?

• I cannot reproduce this in VS Code.
• I cannot reproduce this in GitHub Codespaces.

Are you accessing code-server over HTTPS?

• I am using HTTPS.

Notes

"This certificate is not trusted, expires ..." and it says the time of installation

[gogobd]

Maybe related to #4800

[benz0li]

@gogobd Almost certainly there is something wrong with your certificates and/or setup.

@jsjoeio This is not a code-server bug – with the exception of /root/.local/lib/code-server-4.5.0/lib/vscode/bin/remote-cli/code-server: 12: /root/.local/lib/code-server-4.5.0/lib/vscode/node: not found (👉 #5335).

[benz0li]

@gogobd Have a look at mkcert for making locally-trusted development certificates.

[gogobd]

I am starting code-server with /usr/local/bin/code-server --cert --bind-addr 0.0.0.0:8080 /app so creating proper certificates should happen automagically...

[gogobd]

FROM --platform=linux/amd64 debian:bullseye-slim
  
# Install system dependencies
RUN apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    curl \
    wget \
    git \
    screen \
    unzip \
    vim \
    procps \
    locales \
    python3-pip \
 && apt-get clean

# Python unicode issues
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && locale-gen
ENV LC_ALL=en_US.UTF-8
ENV LANG=en_US.UTF-8
ENV LANGUAGE=en_US.UTF-8

# Code server
# https://github.com/coder/code-server/releases
ARG VERSION=4.5.0
RUN mkdir -p ~/.local/lib ~/.local/bin
RUN curl -sfL https://github.com/cdr/code-server/releases/download/v$VERSION/code-server-$VERSION-linux-amd64.tar.gz | tar -C ~/.local/lib -xz
RUN mv ~/.local/lib/code-server-$VERSION-linux-amd64 ~/.local/lib/code-server-$VERSION
RUN ln -s ~/.local/lib/code-server-$VERSION/bin/code-server /usr/local/bin/code-server

WORKDIR /app
ENV SHELL /bin/bash
CMD /usr/local/bin/code-server --cert --bind-addr 0.0.0.0:8080 /app

[benz0li]

I am starting code-server with /usr/local/bin/code-server --cert --bind-addr 0.0.0.0:8080 /app so creating proper certificates should happen automagically...

$ code-server --help
[...]
--cert                   Path to certificate. A self signed certificate is generated if none is provided.
[...]

ℹ️ When using self-signed certificates, its root CA needs to be added to the (Systems/Braves?) trust store.
👉 See also https://github.com/FiloSottile/mkcert#supported-root-stores

I don't think Brave – as a privacy-focused browser – does support self-signed certificates [by default].

[ericzhucode]

Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope

This error has nothing to do but with your certificate and the protocol(http/https) you use. Webview is based on Service Work and Service Work needs https to run
1.As benz0li said above, if you have used --cert param then code-server generates a self-signed cert, if you use https://ip:port to open code server at this point, since no root CA in your browser can verify this self-signed cert, you will get this error. You can either add this self signed cert to trust store or buy a real cert from public organizations.
2.I noticed that you are opening code-server on your local linux machine, I think you can just use http protocol to open it since using service worker via http from localhost are not restricted.
3.You can also use the following params to open your browser to escape cert error（Not secure in public network environment but easy to use if you are using code-server on your local network）
ip and port needed to be replaced
start chrome http://192.168.142.129:8080 --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=http://192.168.142.129:8080

[gogobd]

Thanks everyone very much for your help!

I installed mkcert on my host machine, with brew; after installing the root certs a second time i got:

$ mkcert --install
The local CA is already installed in the system trust store! 👍
The local CA is already installed in the Firefox trust store! 👍

But i still get

Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/') with script ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/service-worker.js?v=4&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&remoteAuthority=localhost:8080'): An SSL certificate error occurred when fetching the script..

I don't want to start my browser with these options because all other sites I use work fine and I thought there must be a way to get this to work properly... Brave is Chrome / Chromium based and they are listed under https://github.com/FiloSottile/mkcert#supported-root-stores as supported.

[benz0li]

@gogobd Did you include the certificate generated by mkcert localhost in your Docker image?

[gogobd]

No, i want code server to generate its own certificates on startup.

[benz0li]

No, i want code server to generate its own certificates on startup.

Then the root CA from mkcert makes no difference. Because you don't use the certificate generated by mkcert for localhost.

[benz0li]

If you want to use the certificate generated by code-server, you must add the root CA from the Dockerfile to your trust store.

[ericzhucode]

No, i want code server to generate its own certificates on startup.

Then the root CA from mkcert make no difference. Because you don't use the certificates generated by mkcert for localhost.

Agree, I think we need to generate a cert from mkcert which can be verified by your local CA. Then you use that existing cert by passing params to code-server like
./code-server --cert xxx --cert-key xxx
instead of using code server generated self signed cert which can't be verified by your local CA

[gogobd]

So whenever someone uses the --cert option to let code server generate certificates on startup it actually breaks a lot of features? This doesn't make much sense to me at the moment...

[gogobd]

Could I retrieve the generated root certificates from my container and include them in my hosts trust store?

[benz0li]

So whenever someone uses the --cert option to let code server generate certificates on startup it actually breaks a lot of features? This doesn't make much sense to me at the moment...

No. This seems to be a limitation of Brave with self-signed certificates.

[benz0li]

Could I retrieve the generated root certificates from my container and include them in my hosts trust store?

I do not know. It's better to use mkcert and do it the other way around.

QED

[gogobd]

I upgraded to 4.9.0 and this issue is still not solved; the certificate that is being generated on startup doesn't work in Brave.

[jsjoeio]

@gogobd are you using Ubuntu 22.04 by chance?

[gogobd]

I found a way to get Brave to work on MacOS.
I used openssl s_client -connect localhost:8080 to retrieve the auto-generated (self-signed) certificate from the running code-server instance. I created a file with the extension .crt so I could import that key into Keychain Access.app. Then I used the search function in Keychain Access and double-clicked the new certificate to select "Always trust".
This enables all features other browsers don't seem to have an issue with - images are shown, Webviews seem to work ok, Jupyter Notebooks run.

I am cross-posting this (see #4800).

[benz0li]

@gogobd Please close the issue when it is resolved.

[gogobd]

Note: openssl s_client -connect localhost:8480 -showcerts </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' shows the certificate ready to be used.

[bastienjalbert]

I found a way to get Brave to work on MacOS. I used openssl s_client -connect localhost:8080 to retrieve the auto-generated (self-signed) certificate from the running code-server instance. I created a file with the extension .crt so I could import that key into Keychain Access.app. Then I used the search function in Keychain Access and double-clicked the new certificate to select "Always trust". This enables all features other browsers don't seem to have an issue with - images are shown, Webviews seem to work ok, Jupyter Notebooks run.

I am cross-posting this (see #4800).

The solution worked for me, but you have to generate a certificate with subjectAltName (and your served dns), like this :
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -sha256 -keyout /tmp/self-signed.key -out /tmp/self-signed.crt -addext "subjectAltName=DNS:mydns" otherwise Brave'll still ask for some kind of internal validation