Can't login when using self signed cert for coder server

[ntimo]

Description

When trying to login on Windows to a coder server that is using a self signed cert by a private CA the login does not work and errors with:

Desired solution

It should be possible to tell the extension to accept the cert from the private CA.

[ChriZ982]

Hi @kylecarbs ,
is there any way to fix this in a short period of time? I would be happy to help 😃

[kylecarbs]

I'm not actually sure why this isn't working... it's odd that a status code 400 is used. Can you try manually requesting the URL from your computer? Does it work with our CLI?

[ChriZ982]

I think your merge request #36 changed the error message to the following:
Invalid session token! (Error: unable to verify the first certificate)

Do you get the same now @ntimo ?

coder login and coder ssh work just fine. The CA certificate is also stored in the Windows certificate store and accepted. Not sure why VS Code or this extension does not accept the certificate.

Can you try manually requesting the URL from your computer?

@kylecarbs which URL do you mean exactly? The coder base URL is accepted just fine

[kylecarbs]

Ahh, I see. I wonder if it's due to our use of axios...

[kylecarbs]

@ChriZ982 I'm not able to find any good info on how to work around this... it seems like the certificate isn't being loaded by VS Code for some reason.

Can you try running VS Code with the --ignore-certificate-errors flag to see if that fixes it? I know that's not an actual fix, but it should help us narrow down whether it's us or not.

See: https://code.visualstudio.com/docs/setup/network#_ssl-certificates

[ChriZ982]

@kylecarbs I just tried your suggestion, but unfortunately the --ignore-certificate-errors parameter is not recognized by the extension.

However, I found another workaround in this discussion. When setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to 0, its possible to login and open a workspace using the extension!

Of course this is only a temporary workaround and the CA certs should be configured properly. I believe this should be possible by setting the ca parameter when creating the axios agent. This is also described in the discussion linked above. Could you maybe make this configurable in the VSCode settings, such that we can enter a path to our custom CA bundle?

[groucho64738]

I can confirm that setting that environment variable (on Windows), that I stop getting the error. It'd be nice if there were an environment variable that could be used to point to a certificate bundle instead. I tried NODE_EXTRA_CA_CERTS, but that didn't work for me.

[bashscr]

Hey @kylecarbs sorry to ping you on this issue. We are also facing the same problem here, getting an error about unable to verify the first certificate (error code 401 I believe). The only way I've been able to connect using VS Code Desktop is to set the NODE_TLS_REJECT_UNAUTHORIZED environment variable to 0. We are using a cert generated from Venafi, which are applied & stored on our EC2 instance for Coder. Using the Coder CLI via my local machine is fine, as well as the VS Code in the browser option. However, this is a pretty big stopgap for us until we're able to use our local VS Code to connect to the Workspaces. Given the hacky workaround, which is also not recommended for Production, is there anything that can be remediated on this VS Code Extension to alleviate this potentially? Any feedback would be greatly appreciated, thank you!

Apologies, I pulled down our primary certificate again and forgot to combine it with the CA certificate. I believe things are working as expected now. I'll update on this if I find anything else, thanks again.