Accessing self signed code-server on iPad

[vmadykumar]

i'm running code-server on https using custom image of code-server, i used existing certificate by providing the path to "--cert" and the path to its key with "--cert-key" as given documentation.

I used below command to run the code-server on https

sudo docker run -d -p 443:8080 -e PASSWORD="password@123" -v /home/ubuntu/ssl_certificate/wwwwww.crt:/home/coder/cert.crt -v /home/ubuntu/ssl_certificate/xxxxxxx.key:/home/coder/cert.key -v "$PWD:/home/coder/project" kkkkk/code-server --auth none --cert /home/coder/cert.crt --cert-key /home/coder/cert.key --proxy-domain *.yyyy.com

here in above command i'm copying my existing "certificate" and "key" from my local system to container and then passing that path in "--cert" and "--cert-key"

It's running on https and also redirecting all "http" request to "https" but the issue which is coming here is that the site in not secure even after provide correct certificate file.

what should i do to make it secure any help will be appreciated

[code-asher]

Are you using a self-signed certificate? If so, you'll need to get a real one.

[nhooyr]

Can you elaborate on what you mean by not secure? Is HTTPS not active?

[dreamorosi]

Are you using a self-signed certificate? If so, you'll need to get a real one.

What if I'm running on LAN? As far as I know CA cannot sign .local domains.

[mbreese]

Are you using a self-signed certificate? If so, you'll need to get a real one.

What if I'm running on LAN? As far as I know CA cannot sign .local domains.

I'd assume you'd need to setup a local CA and add that to your OS. You should also be able to add self-signed certificates to your OS, such as shown here: https://www.humankode.com/asp-net-core/develop-locally-with-https-self-signed-certificates-and-asp-net-core

(Not tested)

[dreamorosi]

Hello @mbreese, thanks for pitching in but the article you linked shares how to create a simple self-signed certificate (which is by definition not signed by a CA).

The problem here is not generating the certificate but the fact that in order to use code-server with iPadOS properly, an actual SSL certificate is needed.

My setup is a bit more involved than normal but basically I am running code-server on a Linux box that won’t have internet connection and would allow to use vscode via iPad connected through LAN. In this scenario having an actual certificate with a domain seems out of the question and while I understand the reasoning behind limiting certain features when a self signed cert is in place (MiM attacks and such) it would still be good to have an option for intranets.

[mbreese]

No one ever mentioned iPadOS... that’s a bit different. But still doable. (Note: it’s recommended to use MDM for iOS). https://support.apple.com/en-us/HT204477 You can still add the certificate to the OS so that it will be treated as trusted. The mechanism is different, but the same concept for iOS. This should still allow a self signed certificate to be used and trusted. If you want to have multiple certificates, you should look into creating your own CA and then using that to sign your own certificates. This is pretty easy to do and there are tools available to help you manage it on Linux. The trick here is to add the CA’s certificate to each client OS (including iOS). This will by definition be a self-signed certificate. I’ve done this for an enterprise install where our internal CA certificate gets added to each user’s system as part of deployment. Then we could issue our own certificates and have them trusted internally. This was a few years ago, so things may have changed a bit, but this is more common than you think. Note: if you’re trying to prevent a MitM attack, you’d need some mechanism to either pin the certificate or establish that it is trusted. That’s true for a traditional server or an isolated network. Adding the certificate to the OS is one such mechanism.

[lisanet]

Since iPadOS / iOS 13 there are a few more requirements for TLS server certificates to be trusted by iPadOS / iOS See https://support.apple.com/en-us/HT210176

If using openssl to issue a certificate, this blog post might help for these requirements: http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments

On macOS the certificate assistent in Keychain Access.app let's you easily create your own CA and issue the certificates.

[dreamorosi]

I have generated the certificate according to the specifications detailed by @lisanet (thanks a lot):

openssl req -x509 -nodes -days 399 -sha256 -newkey rsa:2048 -out /etc/ssl/localcerts/code.crt -keyout /etc/ssl/localcerts/code.key -config /etc/ssl/openssl.cnf -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:raspberrypi.local

When I dump the certificate, as far as I can see, it complies to all the requirements (some parts have been redacted with ......, the actual certificate has actual values):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ......
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ES, L = Barcelona, O = Andre INC, CN = raspberrypi.local, emailAddress = ...@gmail.com
        Validity
            Not Before: May  3 15:26:21 2020 GMT
            Not After : Jun  6 15:26:21 2021 GMT
        Subject: C = ES, L = Barcelona, O = Andre INC, CN = raspberrypi.local, emailAddress = dreamorosi@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    ......
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                ......
            X509v3 Authority Key Identifier: 
                keyid:......

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:raspberrypi.local
    Signature Algorithm: sha256WithRSAEncryption
         ...

I have then manually installed the certificate on the iPad as a profile and trusted it (thanks @mbreese) and now whenever I visit the host through Safari via HTTPS I don't get anymore any trust/security notice.

Unfortunately code-server shows me a white screen after login now but at least I know it's not a certificate issue as other issues claim.

[lisanet]

You need to create your own CA and then create the TLS server certificate using your CA. The CA certificate has to be imported to iPadOS and has to be trusted as a profile and as a certification authority.

For use with code-server, add the CA certificate to the server certificate with
cat client.pem ca.pem > combined.pem
and use this combined.pem with code-servers --cert option.

That fixed the white screen issue on my iPad Pro, whereas only a single self-signed server certificate didn't work.

[dreamorosi]

Could you please elaborate on how to do so through Keychain Access.app?
I had already tried after your first post to create a CA and the certificate but then resorted to openssl. I tried again to create both using Keychain Access > Certificate Assistant but perhaps I'm doing something wrong because I end up with ca.pem and client.cer (that I need to convert into pem) before merging them into combined.pem

Besides, when trying to start code-server with the --cert key and passing the combined.pem it asks me for the key.

[lisanet]

Take a look at this: https://siber-sonic.com/mac/MailSMIME/CA.html although it seems outdated, it's still valid.

And please read some manual about openssl. openssl output is almost always in PEM format, so your *.crt is just a PEM file. (test it with the 'file client.crt' command). If it is not PEM, it's in DER format, which can be easily converted, see man openssl.

Well, if code-server complains about a missing key, add it with --cert-key client.key`

Every web server which uses TLS needs just 3 things. A server cert, the private key for this server cert, and the CA which has signed this server cert. Since code-server (and many others apps with included web servers) doesn't have an option to specify the CA cert, you need to combine it with the client cert. That's all.

[vmadykumar]

Can you elaborate on what you mean by not secure? Is HTTPS not active?

HTTPS is active but it's showing unsecured connection while i'm browsing it on chrome.
i'm using valid certificate then also getting this unsecured connection warning. I resolved this issue while i used a valid url for this site insted of just browsing this site on IP address.

But my real problem is i need to use this inside my application where i will create new container of code-server on user request and this container will get created on azure container instance for each user separately. Now i tried to do this with "Enable a TLS endpoint in a sidecar container" using self-signed certificate and everything is working file except for the warning i'm getting of insecure connection. And this is a problem for me as my application is working on https it will not allow insecure site to get open inside it. Azure is only giving me one IP for browsing it's not giving me any DNS even if i'm giving "--dns-name-label" while i'm creating this container.

So is there any way i can make code-server secure just with IP address

[mbreese]

It honestly sounds like you need to run this behind a reverse proxy. Then you can let the proxy handle the SSL termination and forwarding requests to your Azure containers. This is the easiest way to get SSL running with code-server anyway (IMO). You may still have issues with window.isSecureContext, but that will depend on how the proxy is setup.

To answer your specific question (and this is in no way code-server specific): you’re not going to get an IP address certificate issued to you for an ephemeral IP address you get from Azure. The only way you could potentially do it is with a self-signed CA certificate, but then you’ll still get end user warnings.

See this: https://www.geocerts.com/support/ip-address-in-ssl-certificate

You can have IP certificates, but no public CA would issue an IP certificate to an IP address you aren’t permanently assigned.