1 reply

HTTPS / x509 certificate issues

Hi,
we've been running Coder on our internal network for quite some months now and it has been working just fine.
We recently requested an x509 certificate from Let's Encrypt, set everything up and tested accessing our instance via HTTPS. Everything seemed to work.
When we then decided to apply all changes for HTTPS access and tried to actually interact with the workspaces, we noticed that although Coder can trigger Docker to start and stop workspaces, the Coder web UI does not update to allow any further interaction with the workspaces. See attached screenshot.
We have reverted back to HTTP access over port 3000, which did fix the issue. The buttons reappeared after starting the workspaces.
The relevant part of our coder.env file (old HTTP settings commented out) looks like this:

# CODER_ACCESS_URL=http://<DOMAIN>:3000
CODER_ACCESS_URL=https://<DOMAIN>

# CODER_HTTP_ADDRESS=<DOMAIN>:3000
CODER_TLS_ADDRESS=<DOMAIN>:443

# TLS-specific
CODER_TLS_ENABLE=true
CODER_TLS_REDIRECT_HTTP=true
CODER_TLS_KEY_FILE=/var/lib/dehydrated/certs/<DOMAIN>/privkey.pem
CODER_TLS_CERT_FILE=/var/lib/dehydrated/certs/<DOMAIN>/cert.pem

# CODER_ACCESS_URL=http://<DOMAIN>:3000
CODER_ACCESS_URL=https://<DOMAIN>

# CODER_HTTP_ADDRESS=<DOMAIN>:3000
CODER_TLS_ADDRESS=<DOMAIN>:443

# TLS-specific
CODER_TLS_ENABLE=true
CODER_TLS_REDIRECT_HTTP=true
CODER_TLS_KEY_FILE=/var/lib/dehydrated/certs/<DOMAIN>/privkey.pem
CODER_TLS_CERT_FILE=/var/lib/dehydrated/certs/<DOMAIN>/cert.pem

# CODER_ACCESS_URL=http://<DOMAIN>:3000
CODER_ACCESS_URL=https://<DOMAIN>

# CODER_HTTP_ADDRESS=<DOMAIN>:3000
CODER_TLS_ADDRESS=<DOMAIN>:443

# TLS-specific
CODER_TLS_ENABLE=true
CODER_TLS_REDIRECT_HTTP=true
CODER_TLS_KEY_FILE=/var/lib/dehydrated/certs/<DOMAIN>/privkey.pem
CODER_TLS_CERT_FILE=/var/lib/dehydrated/certs/<DOMAIN>/cert.pem

# CODER_ACCESS_URL=http://<DOMAIN>:3000
CODER_ACCESS_URL=https://<DOMAIN>

# CODER_HTTP_ADDRESS=<DOMAIN>:3000
CODER_TLS_ADDRESS=<DOMAIN>:443

# TLS-specific
CODER_TLS_ENABLE=true
CODER_TLS_REDIRECT_HTTP=true
CODER_TLS_KEY_FILE=/var/lib/dehydrated/certs/<DOMAIN>/privkey.pem
CODER_TLS_CERT_FILE=/var/lib/dehydrated/certs/<DOMAIN>/cert.pem

Also (but only maybe related) any attempts to login to the HTTPS-configured Coder instance with

coder login https://<DOMAIN>

coder login https://<DOMAIN>

coder login https://<DOMAIN>

coder login https://<DOMAIN> fail with the error

running command "coder login": Failed to check server "https://<DOMAIN>" for first user, is the URL correct and is coder accessible from your browser? Error - has initial user:
    github.com/coder/coder/cli.(*RootCmd).login.func1
        /home/runner/actions-runner/_work/coder/coder/cli/login.go:96
  - Get "https://<DOMAIN>/api/v2/users/first": tls: failed to verify certificate: x509: certificate signed by unknown authority

running command "coder login": Failed to check server "https://<DOMAIN>" for first user, is the URL correct and is coder accessible from your browser? Error - has initial user:
    github.com/coder/coder/cli.(*RootCmd).login.func1
        /home/runner/actions-runner/_work/coder/coder/cli/login.go:96
  - Get "https://<DOMAIN>/api/v2/users/first": tls: failed to verify certificate: x509: certificate signed by unknown authority

running command "coder login": Failed to check server "https://<DOMAIN>" for first user, is the URL correct and is coder accessible from your browser? Error - has initial user:
    github.com/coder/coder/cli.(*RootCmd).login.func1
        /home/runner/actions-runner/_work/coder/coder/cli/login.go:96
  - Get "https://<DOMAIN>/api/v2/users/first": tls: failed to verify certificate: x509: certificate signed by unknown authority

running command "coder login": Failed to check server "https://<DOMAIN>" for first user, is the URL correct and is coder accessible from your browser? Error - has initial user:
    github.com/coder/coder/cli.(*RootCmd).login.func1
        /home/runner/actions-runner/_work/coder/coder/cli/login.go:96
  - Get "https://<DOMAIN>/api/v2/users/first": tls: failed to verify certificate: x509: certificate signed by unknown authority

which is weird, since Let's Encrypt is the CA which I can verify manually with openssl. But I have no clue if that error could also be the source of the buttons disappearing.
How can we fix this? Is there any misconfiguration on our part that we don't see?

HTTPS / x509 certificate issues

Similar Threads

Similar Threads

Similar Threads