coder
[Bug]: `--cert` does not work on Windows
Is there an existing issue for this?
- [X] I have searched the existing issues
OS/Web Information
- Web Browser: Edge
- Local OS: Win11
- Remote OS: Android
- Remote Architecture:
-
code-server --version: 4.9.1
Steps to Reproduce
- run code-server --port 8090 --host 0.0.0.0 works well but only jupyter notebook not work. So try https.
- run code-server --port 8090 --host 0.0.0.0 --cert ../san_domain_com.crt --cert-key ../san_domain_com.key
- open https url in browser
Expected
Enter the password and then show vscode gui
Actual
The page is blank empty and powershell get some error.
Logs
[2023-02-15T08:06:43.351Z] info code-server 4.9.1 f7989a4dfcf21085e52157a01924d79d708bcc05
[2023-02-15T08:06:43.352Z] info Using user-data-dir ~\AppData\Local\code-server\Data
[2023-02-15T08:06:43.372Z] info Using config file ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T08:06:43.372Z] info HTTPS server listening on https://0.0.0.0:8080/
[2023-02-15T08:06:43.372Z] info - Authentication is enabled
[2023-02-15T08:06:43.372Z] info - Using password from ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T08:06:43.372Z] info - Using certificate for HTTPS: D:\SUN\web\san_domain_com.crt
[16:07:03]
[16:07:03] Extension host agent started.
[2023-02-15T08:07:04.413Z] error child:91736 Uncaught exception: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
[2023-02-15T08:07:04.413Z] error child:91736 Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
at Server.setupListenHandle [as _listen2] (node:net:1446:21)
at listenInCluster (node:net:1511:12)
at Server.listen (node:net:1610:5)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
at new Promise (<anonymous>)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28
[16:07:04] Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
at Server.setupListenHandle [as _listen2] (node:net:1446:21)
at listenInCluster (node:net:1511:12)
at Server.listen (node:net:1610:5)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
at new Promise (<anonymous>)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28 {
code: 'EACCES',
errno: -4092,
syscall: 'listen',
address: 'C:\\Users\\cceva\\AppData\\Local\\Temp\\code-server\\tls-proxy',
port: -1
}
Screenshot/Video
No response
Does this issue happen in VS Code or GitHub Codespaces?
- [X] I cannot reproduce this in VS Code.
- [X] I cannot reproduce this in GitHub Codespaces.
Are you accessing code-server over HTTPS?
- [X] I am using HTTPS.
Notes
No response
@longilacus could you please try to run code-server on a powershell with admin privilege?
@longilacus could you please try to run code-server on a powershell with admin privilege?
I have tried powershell with admin privilege, but still gor the blank page. Run with code-server --port 8080 --host 0.0.0.0 directly works well only with jupyter not work.
PS D:\sun\web> code-server --port 8080 --host 0.0.0.0 --cert san_domain_com.crt --cert-key san_domain_com.key
[2023-02-15T14:47:48.108Z] info code-server 4.9.1 f7989a4dfcf21085e52157a01924d79d708bcc05
[2023-02-15T14:47:48.109Z] info Using user-data-dir ~\AppData\Local\code-server\Data
[2023-02-15T14:47:48.128Z] info Using config file ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T14:47:48.128Z] info HTTPS server listening on https://0.0.0.0:8080/
[2023-02-15T14:47:48.128Z] info - Authentication is enabled
[2023-02-15T14:47:48.128Z] info - Using password from ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T14:47:48.128Z] info - Using certificate for HTTPS: D:\sun\web\san_domain_com.crt
[22:47:48]
[22:47:48] Extension host agent started.
[2023-02-15T14:47:48.417Z] error child:95828 Uncaught exception: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
[2023-02-15T14:47:48.417Z] error child:95828 Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
at Server.setupListenHandle [as _listen2] (node:net:1446:21)
at listenInCluster (node:net:1511:12)
at Server.listen (node:net:1610:5)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
at new Promise (<anonymous>)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28
[22:47:48] Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
at Server.setupListenHandle [as _listen2] (node:net:1446:21)
at listenInCluster (node:net:1511:12)
at Server.listen (node:net:1610:5)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
at new Promise (<anonymous>)
at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28 {
code: 'EACCES',
errno: -4092,
syscall: 'listen',
address: 'C:\\Users\\cceva\\AppData\\Local\\Temp\\code-server\\tls-proxy',
port: -1
}
@longilacus please paste output of below command from your cmd prompt in admin mode - netsh interface ipv4 show excludedportrange protocol=tcp
also could you please try to change the port from 8080 to something random (may be 32654 )while using the certificate.
@longilacus please paste output of below command from your cmd prompt in admin mode - netsh interface ipv4 show excludedportrange protocol=tcp
also could you please try to change the port from 8080 to something random (may be 32654 )while using the certificate.
开始端口 结束端口
---------- --------
5357 5357
5426 5426
50000 50059 *
54235 54235
54236 54236
I tried other port like 8111, 27089, 32654. Still got Error: listen EACCES: permission denied
listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
Just to begin the debugging, do you have any VPN clients installed?
listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
Just to begin the debugging, do you have any VPN clients installed?
Yes, I have a clash VPN installed. Just tested that with VPN running or exit makes no difference.
Because permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy, I checked C:\Users\cceva\AppData\Local\Temp\code-server, and it's an empty folder.
When using --cer and --cert-key to start conde-server, the password input would show, but after click summit button, it become blank page.
Hmm yeah code-server needs to create that tls-proxy socket so if it lacks permissions TLS will not work.
If possible I would recommend using something else to handle TLS termination like a reverse proxy such as Caddy, NGINX, etc.
Ah but since this happens even with admin I think it is possible this code needs to be reworked to work on Windows. I think you have to use named pipes instead of Unix sockets and they have to start with \\.\pipe\ or something.
If possible I would recommend using something else to handle TLS termination like a reverse proxy such as Caddy, NGINX, etc.
I met the same TLS permission problem in Windows both in admin/general user. I followed your advice and use NGINX. Then code-server can work well and there's no permission problems.
Ah but since this happens even with admin I think it is possible this code needs to be reworked to work on Windows. I think you have to use named pipes instead of Unix sockets and they have to start with
\\.\pipe\or something.
yes and no, there's partial support for unix sockets since windows 10 1803. as per #6569 apparently now the ipc socket creation is failing
Just came across this myself, I'd been trying to avoid WSL but I guess that's the next step. A note about this could be useful in the docs.
Merging this into the Windows support issue: https://github.com/coder/code-server/issues/1397