New
Boost Developer Productivity & Streamline Onboarding with CDE's

Download the Whitepaper

Get a Demo
Home
About
Comparison
Feedback
Getting started
Coder for Docker
Administrators
Data scientists
Developers
IntelliJ
PyCharm
Workspaces
Create a workspace
Lifecycle
Auto-start
Dev URLs
Docker in workspaces
Editors and IDEs
Environment variables
Personalization
Preferences
Progressive web apps
SSH access
VS Code extensions
Workspace applications
Workspace parameters
Workspace templates
Workspace templates
Workspace template code completion
Images
Configure script
Custom image creation
Deprecate and Decommission
Embeddable button
Import
Structure
Tags
TLS certificates
Command line
Installation and setup
Remote terminal
File sync
Workspace management
Reference
coder completion
coder config-ssh
coder images
coder images ls
coder login
coder logout
coder satellites
coder satellites create
coder satellites ls
coder satellites rm
coder ssh
coder sync
coder tokens
coder tokens create
coder tokens ls
coder tokens regen
coder tokens rm
coder tunnel
coder update
coder urls
coder urls create
coder urls ls
coder urls rm
coder users
coder users ls
coder workspaces
coder workspaces create-from-config
coder workspaces create
coder workspaces edit-from-config
coder workspaces edit
coder workspaces ls
coder workspaces ping
coder workspaces policy-template
coder workspaces rebuild
coder workspaces rm
coder workspaces stop
coder workspaces watch-build
Setup
Architecture
System Requirements
Kubernetes
K3s
Amazon Elastic Kubernetes Service
Azure Kubernetes Service
Google Kubernetes Engine
Red Hat OpenShift
Rancher Kubernetes Engine
Installation
Configuration
Scaling Coder
Air-gapped deployment
Network setup
Offline documentation
Coder for Docker
Local deployment
External database setup
Upgrade
Upgrade
Update considerations
Admin
Access control
Authentication management
Organization roles
User management
User roles
Password reset
Organizations
Org management
Registries
Default registry
Amazon Elastic Container Registry
Azure Container Registry
Google Container Registry
Satellites
Manage satellites
Migrate to satellite deployments
Global access URL configuration
Workspace management
Docker in workspaces
Cluster setup
Images
Management
Extensions
GPU acceleration
IDE installation
Memory provisioning
CPU provisioning
Self-contained workspace builds
Shutdown
SSH configuration
Workspace limits
Workspace process logging
Workspace providers
Deployment
Docker
EC2
Kubernetes
Workspace provider management
Access URL
Account dormancy
Appearance
Audit
Security
Dev URLs
Direct workspace connections
Fallback shell
Git integration
Prometheus integration
Licensing
Telemetry
Templates
Usage metrics
Guides
Admin
Compute resources
Database migration
AWS RDS with IAM credentials
File download disabling
Helm charts
Image tag names
Logging
NFS file mounting
OpenID Connect with Azure AD
OpenID Connect with Active Directory Federation Services (ADFS)
OpenID Connect with Google
OpenID Connect with Okta
Shared security responsibility
Storage
Usage monitoring
Workspace provider provisioning via CLI
Customization
Git configuration
GPG forwarding
macOS keybindings
Multiple JetBrains instances configuration
Node.js Projects
Tailscale
VNC
Deployment
Coder installation from an archive
JFrog Artifactory
Managed code-server Workspaces
Podman
PostgreSQL
Proxies
SAML 2.0 identity brokering
Teardown
Terraform
TLS certificates
Azure DNS
Google Cloud DNS
Cloudflare
Route 53
Configure TLS on Coder for Docker
Mobile development
Public API
Troubleshooting
Activate JetBrains license in a browser
Admin password reset
Docker
GitHub OAuth integration
Image registry
inotify watcher limit problems
TypeError: Failed to fetch
Vite and HMR
SSH no mutual signature supported
Workspace organization
Moving to Coder v2
Sunsetting Coder v1 and v2 Migration FAQ
Changelog
1.44.0
1.44.1
1.43.0
1.43.1
1.42.0
1.42.1
1.41.0
1.41.1
1.40.0
1.39.0
1.39.2
1.39.1
1.38.0
1.38.3
1.38.2
1.38.1
1.37.0
1.37.1
1.36.0
1.36.2
1.36.1
1.35.0
1.35.4
1.35.3
1.35.2
1.35.1
1.34.0
1.34.3
1.34.2
1.34.1
Home
/
Images
/
TLS certificates

TLS certificates

TLS certificates

This article will show you how to correct issues regarding TLS certificates in Coder.

Background

Coder may sometimes fail to download extensions for your IDE if the remote extension marketplace URL is untrusted. This might happen for one of the following reasons:

  • The image doesn't come with any ca-certificates
  • You're using an internal certificate authority

Coder workspaces may also fail to build if the TLS certificate used by Coder is not present in the image, or if there is some issue with the certificate.

Adding certificates for Coder

To add certificates to your image and have them recognized by Coder:

  1. Add the certificate(s) to the image

  2. Set the NODE_EXTRA_CA_CERTS environment variable to the file in the image that contains the certificates

  3. Add the following to your Dockerfile to ensure that Coder finds and uses your newly added certificates when making requests:

     COPY my-certs.crt /etc/ssl/certs/my-certs.crt
 ENV NODE_EXTRA_CA_CERTS /etc/ssl/certs/my-certs.crt

Adding certificates at the system level

You can add certificates at the system level so that any process that runs within the workspace will use the certificates when making requests.

The specific process to add system-level certificates depends on the Linux distribution that you're using, but it is typically done by adding your certificates to your system's trusted CA repository.

TLS Certificate Requirements

Since the publication of RFC 2818 in 2000, the commonName field has been considered deprecated.

The Go programming language, which Coder uses, recently began enforcing this and ignoring the commonName field (source) in favor of the Subject Alternative Name (SAN) field.

This essentially means that SSL certificates are required to use Subject Alternative Name instead of commonName. If you attempt to use a certificate having commonName with Coder, you may see the following error:

x509: certificate relies on legacy Common Name field, use SANs instead

Certificates may specify both fields for interoperability with existing software that requires the commonName field.

If you see this error when building a workspace or performing other operations with Coder workspaces, you may be running into the aforementioned issue. To verify that this is the case, you can inspect the certificate of your Coder deployment with the following command:

openssl s_client -connect coder.domain.tld:443 < /dev/null 2>/dev/null \|
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \|
openssl x509 -text -noout \|
grep -A1 'Subject Alternative Name'

If your certificate has SANs specified, the expected output for the above command would be similar to the following:

           X509v3 Subject Alternative Name:
                DNS:*.coder.domain.tld, DNS:coder.domain.tld, DNS:domain.tld

Otherwise, a blank output is expected.

To fix the issue, a new TLS certificate is required that does not rely solely on the commmonName field. In the above example, this would equate to adding the following arguments to the openssl invocation to generate the certificate:

-addext "subjectAltName = DNS:domain-name.com"
See an opportunity to improve our docs? Make an edit.
On this page