code-server
code-server copied to clipboard
coder
[Bug]: error RSA PRIVATE KEY not found from openssl output
Is there an existing issue for this?
- [X] I have searched the existing issues
OS/Web Information
- Web Browser: Firefox
- Local OS: Windows 10
- Remote OS: Ubuntu 22.04 LTS Server
- Remote Architecture: arm64
code-server --version: 4.3.0
Steps to Reproduce
- Install using installer script
- Modify config to:
bind-addr: 0.0.0.0:443
auth: password
password: ...
cert: true
- Read logs of service
Expected
code-server should start up normally.
Actual
code-server fails to start-up with error message in logs as seen below.
Logs
May 05 11:25:56 ubuntu code-server[17012]: [2022-05-05T11:25:56.314Z] error RSA PRIVATE KEY not found from openssl output: May 05 11:25:56 ubuntu code-server[17012]: ---stdout--- May 05 11:25:56 ubuntu code-server[17012]: -----BEGIN PRIVATE KEY----- May 05 11:25:56 ubuntu code-server[17012]: MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDBtlEnZLssezit May 05 11:25:56 ubuntu code-server[17012]: ...................... May 05 11:25:56 ubuntu code-server[17012]: 85ApfDxbNKRPXB24sszXjhWI3A== May 05 11:25:56 ubuntu code-server[17012]: -----END PRIVATE KEY----- May 05 11:25:56 ubuntu code-server[17012]: ---stderr--- May 05 11:25:56 ubuntu code-server[17012]: code: 0
Screenshot/Video
No response
Does this issue happen in VS Code?
- [X] I cannot reproduce this in VS Code.
Are you accessing code-server over HTTPS?
- [X] I am using HTTPS.
Notes
This could be related: https://githubhot.com/repo/Chocobozzz/PeerTube/issues/4901, Ubuntu 22.04 LTS Server was running OpenSSL Version 3.0.2.
Installation process on Ubuntu 20.04 LTS Server with OpenSSL version 1.1.1g works and service runs normally.
Hmm... I don't know if we've discussed support newer versions of OpenSSL. Thoughts? @code-asher
Not sure if it's supported by pem yet. See this: https://github.com/Dexus/pem/issues/316
Oh huh weird. I was looking at this commit which says it is in 1.14.5:
https://github.com/Dexus/pem/commit/7ec825744b9cf1a9cab37983302fa6d7da8a9b22
But GitHub releases only has up to 1.14.4 and NPM has 1.14.6 but not 1.14.5 even though the package.json in the repo says 1.14.5 so I am not sure what is going on haha
Any clue on when this will be fixed? Doesn't seem like there is much progress on pem side.
The workaround I'm currently using is manually generating valid keys with mkcert , and passing those in code-server config.yaml .
It works very well and it's probably the easiest thing to do until this gets fixed
Any ideia to fix it? I am using oracle VPS, if anyone knows a way to resolve it I will be very grateful
@GuilhermeSCLima did you see the workaround here?
Oh, I tried that but I didn't understood, it's my first time using code-server, and the first time I try to work on an instance vps for web, if you know any tutorial that I can use I will appreciate 😊. Sorry for the dumb question.
Ah got it! No worries. I am a noob when it comes to working with openssl, etc too. I've added this as high priority so hoping we can get to it soon!
Any clue on when this will be fixed? Doesn't seem like there is much progress on
pemside.The workaround I'm currently using is manually generating valid keys with
mkcert, and passing those in code-server config.yaml . It works very well and it's probably the easiest thing to do until this gets fixed
Hi @Newtoniano could you please explain how I can do this in simple steps? I apologize but I'm fairly new to this any assistance is greatly appreciated.
Any clue on when this will be fixed? Doesn't seem like there is much progress on
pemside. The workaround I'm currently using is manually generating valid keys withmkcert, and passing those in code-server config.yaml . It works very well and it's probably the easiest thing to do until this gets fixedHi @Newtoniano could you please explain how I can do this in simple steps? I apologize but I'm fairly new to this any assistance is greatly appreciated.
Sure @DNAMcKnight , I'm not a super expert myself but after many attempts I managed to get it to work for me.
- Read
mkcert's install instructions and install it on the machine that's supposed to run code-server. Choose the method you prefer from the instructions, in my case on linux I first installed certutil with my package manager and then used the instructions for the precompiled binaries (didn't really want to install another package manager like homebrew just for mkcert). - Install the CA Authority by typing
mkcert -install - Navigate to a folder where you'd like to store the certificates you're gonna generate, and then once inside type
mkcert your_machine_ip 127.0.0.1. You can type more addresses after that, any domain names you might want to use to reach the machine from your local network, if you need for example to access code-server from other devices. If what I suggested doesn't work, just experiment withmkcertinside that folder and insert any IP's and hostnames afterwards with spaces between each other, until you generate some certificates that work for your use case. - Mkcert has now generated two .pem files inside that folder. Now edit the code-server config file with
nano ~/.config/code-server/config.yaml(or whatever the path to the code-server file is on your machine) and add the following two lines (customized for your specific case)cert: path_to_your_cert_folder/cert_name.pemandcert-key: path_to_your_cert_folder/cert_name-key.pem. Save and close. - Restart code server.
My configuration is slightly different from this, so what I told you might not work for you because that's not exactly how mine is set up and I can't really check if everything I said is 100% correct right now (probably not, this stuff is complicated if you haven't much experience with it), so you'd have to experiment a little bit especially with what addresses you pass exactly to mkcert when generating the certificates. But you should be able to get it to work, in general this is the correct workflow. Tagging @GuilhermeSCLima in case he is still stuck on this step.
Thank you for the response I'll give it a try and see how it goes. Appreciate the time you took to write all that!
So its now December and this is still a bug in the latest release (currently release v4.9.0), any news on when this might get fixed?, i see from here it was marked as a high priority.
@binhex I think this is upstream and not something we will be able to fix unfortunately. See the "Known Issues" section in the latest release notes: https://github.com/coder/code-server/releases/tag/v4.9.0
I had the same problem, but I managed to solve it by passing the certificate when starting the code-server
code-server . --cert certificate.crt --cert-key certificate.key
Maybe use the --traditional flag for openssl 3 to get the "RSA" header of earlier versions:
$ openssl genrsa 1024 | grep BEGIN
-----BEGIN PRIVATE KEY-----
$ openssl genrsa --traditional 1024 | grep BEGIN
-----BEGIN RSA PRIVATE KEY-----
I'm seeing this with fresh installs on Debian 12.x (Bookworm) (4.15.0)
openssl version
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
I managed to workaround this without using mkcert. I made a wrapper for openssl that adds the --traditional flag when necessary, such that code-server is able to parse the output.
To use it, you first have to obtain the absolute path of the installed openssl:
which openssl
In my case it's installed at /home/victor141516/.linuxbrew/bin/openssl
You have to write that path into the wrapper:
#!/bin/sh
OPENSSL_BIN_PATH=/home/victor141516/.linuxbrew/bin/openssl # change this line for your path
if [ $1 = "genrsa" ]; then
shift
exec $OPENSSL_BIN_PATH genrsa --traditional "$@"
else
exec $OPENSSL_BIN_PATH "$@"
fi
Then:
- Save that file with the name
openssl - Give it execution permissions:
chmod +x ./openssl - Add the path where the file is located to your PATH:
export PATH="$(pwd):$PATH"
If you now run code-server, it should use the wrapper, generate the certificate correctly, and save it properly, so the next time you run code-server you shouldn't need to use the wrapper.
