coder
[Bug]: Webview error
Is there an existing issue for this?
- [X] I have searched the existing issues
OS/Web Information
- Web Browser: Brave
- Local OS: MacOS Monterey 12.4
- Remote OS: MacOS Monterey 12.4
- Remote Architecture: platform=linux/amd64
-
code-server --version:/root/.local/lib/code-server-4.5.0/lib/vscode/bin/remote-cli/code-server: 12: /root/.local/lib/code-server-4.5.0/lib/vscode/node: not found
Steps to Reproduce
- Open code server in Brave Browser
- Log in
- Read the error message
Expected
Code server should run with all features enabled
Actual
All sorts of random problems, including broken Image display
Logs
Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/') with script ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/service-worker.js?v=4&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&remoteAuthority=localhost:8080'): An SSL certificate error occurred when fetching the script..
Screenshot/Video
No response
Does this issue happen in VS Code or GitHub Codespaces?
- [X] I cannot reproduce this in VS Code.
- [X] I cannot reproduce this in GitHub Codespaces.
Are you accessing code-server over HTTPS?
- [X] I am using HTTPS.
Notes
"This certificate is not trusted, expires ..." and it says the time of installation
@gogobd Almost certainly there is something wrong with your certificates and/or setup.
@jsjoeio This is not a code-server bug – with the exception of /root/.local/lib/code-server-4.5.0/lib/vscode/bin/remote-cli/code-server: 12: /root/.local/lib/code-server-4.5.0/lib/vscode/node: not found (👉 #5335).
I am starting code-server with /usr/local/bin/code-server --cert --bind-addr 0.0.0.0:8080 /app so creating proper certificates should happen automagically...
FROM --platform=linux/amd64 debian:bullseye-slim
# Install system dependencies
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
curl \
wget \
git \
screen \
unzip \
vim \
procps \
locales \
python3-pip \
&& apt-get clean
# Python unicode issues
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && locale-gen
ENV LC_ALL=en_US.UTF-8
ENV LANG=en_US.UTF-8
ENV LANGUAGE=en_US.UTF-8
# Code server
# https://github.com/coder/code-server/releases
ARG VERSION=4.5.0
RUN mkdir -p ~/.local/lib ~/.local/bin
RUN curl -sfL https://github.com/cdr/code-server/releases/download/v$VERSION/code-server-$VERSION-linux-amd64.tar.gz | tar -C ~/.local/lib -xz
RUN mv ~/.local/lib/code-server-$VERSION-linux-amd64 ~/.local/lib/code-server-$VERSION
RUN ln -s ~/.local/lib/code-server-$VERSION/bin/code-server /usr/local/bin/code-server
WORKDIR /app
ENV SHELL /bin/bash
CMD /usr/local/bin/code-server --cert --bind-addr 0.0.0.0:8080 /app
I am starting code-server with
/usr/local/bin/code-server --cert --bind-addr 0.0.0.0:8080 /appso creating proper certificates should happen automagically...
$ code-server --help
[...]
--cert Path to certificate. A self signed certificate is generated if none is provided.
[...]
ℹ️ When using self-signed certificates, its root CA needs to be added to the (Systems/Braves?) trust store.
👉 See also https://github.com/FiloSottile/mkcert#supported-root-stores
I don't think Brave – as a privacy-focused browser – does support self-signed certificates [by default].
Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope
This error has nothing to do but with your certificate and the protocol(http/https) you use. Webview is based on Service Work and Service Work needs https to run
1.As benz0li said above, if you have used --cert param then code-server generates a self-signed cert, if you use https://ip:port to open code server at this point, since no root CA in your browser can verify this self-signed cert, you will get this error. You can either add this self signed cert to trust store or buy a real cert from public organizations.
2.I noticed that you are opening code-server on your local linux machine, I think you can just use http protocol to open it since using service worker via http from localhost are not restricted.
3.You can also use the following params to open your browser to escape cert error(Not secure in public network environment but easy to use if you are using code-server on your local network)
ip and port needed to be replaced
start chrome http://192.168.142.129:8080 --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=http://192.168.142.129:8080
Thanks everyone very much for your help!
I installed mkcert on my host machine, with brew; after installing the root certs a second time i got:
$ mkcert --install
The local CA is already installed in the system trust store! 👍
The local CA is already installed in the Firefox trust store! 👍
But i still get
Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/') with script ('https://localhost:8080/stable-30d9c6cd9483b2cc586687151bcbcd635f373630/static/out/vs/workbench/contrib/webview/browser/pre/service-worker.js?v=4&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&remoteAuthority=localhost:8080'): An SSL certificate error occurred when fetching the script..
I don't want to start my browser with these options because all other sites I use work fine and I thought there must be a way to get this to work properly... Brave is Chrome / Chromium based and they are listed under https://github.com/FiloSottile/mkcert#supported-root-stores as supported.
@gogobd Did you include the certificate generated by mkcert localhost in your Docker image?
No, i want code server to generate its own certificates on startup.
Then the root CA from mkcert makes no difference. Because you don't use the certificate generated by mkcert for localhost.
If you want to use the certificate generated by code-server, you must add the root CA from the Dockerfile to your trust store.
No, i want code server to generate its own certificates on startup.
Then the root CA from
mkcertmake no difference. Because you don't use the certificates generated bymkcertforlocalhost.
Agree, I think we need to generate a cert from mkcert which can be verified by your local CA. Then you use that existing cert by passing params to code-server like ./code-server --cert xxx --cert-key xxx instead of using code server generated self signed cert which can't be verified by your local CA
So whenever someone uses the --cert option to let code server generate certificates on startup it actually breaks a lot of features? This doesn't make much sense to me at the moment...
Could I retrieve the generated root certificates from my container and include them in my hosts trust store?
So whenever someone uses the --cert option to let code server generate certificates on startup it actually breaks a lot of features? This doesn't make much sense to me at the moment...
No. This seems to be a limitation of Brave with self-signed certificates.
Could I retrieve the generated root certificates from my container and include them in my hosts trust store?
I do not know. It's better to use mkcert and do it the other way around.
QED
I upgraded to 4.9.0 and this issue is still not solved; the certificate that is being generated on startup doesn't work in Brave.
I found a way to get Brave to work on MacOS. I used openssl s_client -connect localhost:8080 to retrieve the auto-generated (self-signed) certificate from the running code-server instance. I created a file with the extension .crt so I could import that key into Keychain Access.app. Then I used the search function in Keychain Access and double-clicked the new certificate to select "Always trust". This enables all features other browsers don't seem to have an issue with - images are shown, Webviews seem to work ok, Jupyter Notebooks run.
I am cross-posting this (see https://github.com/coder/code-server/issues/4800).
Note: openssl s_client -connect localhost:8480 -showcerts </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' shows the certificate ready to be used.