[Bug]: error RSA PRIVATE KEY not found from openssl output

PhilipJonasFranz commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

OS/Web Information

Web Browser: Firefox
Local OS: Windows 10
Remote OS: Ubuntu 22.04 LTS Server
Remote Architecture: arm64
code-server --version: 4.3.0

Steps to Reproduce

Install using installer script
Modify config to:

bind-addr: 0.0.0.0:443
auth: password
password: ...
cert: true

Read logs of service

Expected

code-server should start up normally.

Actual

code-server fails to start-up with error message in logs as seen below.

Logs

May 05 11:25:56 ubuntu code-server[17012]: [2022-05-05T11:25:56.314Z] error RSA PRIVATE KEY not found from openssl output: May 05 11:25:56 ubuntu code-server[17012]: ---stdout--- May 05 11:25:56 ubuntu code-server[17012]: -----BEGIN PRIVATE KEY----- May 05 11:25:56 ubuntu code-server[17012]: MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDBtlEnZLssezit May 05 11:25:56 ubuntu code-server[17012]: ...................... May 05 11:25:56 ubuntu code-server[17012]: 85ApfDxbNKRPXB24sszXjhWI3A== May 05 11:25:56 ubuntu code-server[17012]: -----END PRIVATE KEY----- May 05 11:25:56 ubuntu code-server[17012]: ---stderr--- May 05 11:25:56 ubuntu code-server[17012]: code: 0

Screenshot/Video

No response

Does this issue happen in VS Code?

[X] I cannot reproduce this in VS Code.

Are you accessing code-server over HTTPS?

[X] I am using HTTPS.

Notes

This could be related: https://githubhot.com/repo/Chocobozzz/PeerTube/issues/4901, Ubuntu 22.04 LTS Server was running OpenSSL Version 3.0.2.

PhilipJonasFranz commented 2 years ago

Installation process on Ubuntu 20.04 LTS Server with OpenSSL version 1.1.1g works and service runs normally.

jsjoeio commented 2 years ago

Hmm... I don't know if we've discussed support newer versions of OpenSSL. Thoughts? @code-asher

code-asher commented 2 years ago

Maybe we just need to update pem?

jsjoeio commented 2 years ago

Not sure if it's supported by pem yet. See this: https://github.com/Dexus/pem/issues/316

code-asher commented 2 years ago

Oh huh weird. I was looking at this commit which says it is in 1.14.5:

https://github.com/Dexus/pem/commit/7ec825744b9cf1a9cab37983302fa6d7da8a9b22

code-asher commented 2 years ago

But GitHub releases only has up to 1.14.4 and NPM has 1.14.6 but not 1.14.5 even though the package.json in the repo says 1.14.5 so I am not sure what is going on haha

jsjoeio commented 2 years ago

Oh wow! Nice find! Lol that is strange. I'll comment on that issue

Newtoniano commented 2 years ago

Any clue on when this will be fixed? Doesn't seem like there is much progress on pem side.

The workaround I'm currently using is manually generating valid keys with mkcert , and passing those in code-server config.yaml . It works very well and it's probably the easiest thing to do until this gets fixed

GuilhermeSCLima commented 2 years ago

Any ideia to fix it? I am using oracle VPS, if anyone knows a way to resolve it I will be very grateful

jsjoeio commented 2 years ago

@GuilhermeSCLima did you see the workaround here?

GuilhermeSCLima commented 2 years ago

@GuilhermeSCLima did you see the workaround here?

Oh, I tried that but I didn't understood, it's my first time using code-server, and the first time I try to work on an instance vps for web, if you know any tutorial that I can use I will appreciate 😊. Sorry for the dumb question.

jsjoeio commented 2 years ago

Ah got it! No worries. I am a noob when it comes to working with openssl, etc too. I've added this as high priority so hoping we can get to it soon!

DNAMcKnight commented 2 years ago

Any clue on when this will be fixed? Doesn't seem like there is much progress on pem side.

The workaround I'm currently using is manually generating valid keys with mkcert , and passing those in code-server config.yaml . It works very well and it's probably the easiest thing to do until this gets fixed

Hi @Newtoniano could you please explain how I can do this in simple steps? I apologize but I'm fairly new to this any assistance is greatly appreciated.

Newtoniano commented 2 years ago

Any clue on when this will be fixed? Doesn't seem like there is much progress on pem side. The workaround I'm currently using is manually generating valid keys with mkcert , and passing those in code-server config.yaml . It works very well and it's probably the easiest thing to do until this gets fixed

Hi @Newtoniano could you please explain how I can do this in simple steps? I apologize but I'm fairly new to this any assistance is greatly appreciated.

Sure @DNAMcKnight , I'm not a super expert myself but after many attempts I managed to get it to work for me.

Read mkcert 's install instructions and install it on the machine that's supposed to run code-server. Choose the method you prefer from the instructions, in my case on linux I first installed certutil with my package manager and then used the instructions for the precompiled binaries (didn't really want to install another package manager like homebrew just for mkcert).
Install the CA Authority by typing mkcert -install
Navigate to a folder where you'd like to store the certificates you're gonna generate, and then once inside type mkcert your_machine_ip 127.0.0.1 . You can type more addresses after that, any domain names you might want to use to reach the machine from your local network, if you need for example to access code-server from other devices. If what I suggested doesn't work, just experiment withmkcert inside that folder and insert any IP's and hostnames afterwards with spaces between each other, until you generate some certificates that work for your use case.
Mkcert has now generated two .pem files inside that folder. Now edit the code-server config file with nano ~/.config/code-server/config.yaml (or whatever the path to the code-server file is on your machine) and add the following two lines (customized for your specific case)cert: path_to_your_cert_folder/cert_name.pem and cert-key: path_to_your_cert_folder/cert_name-key.pem . Save and close.
Restart code server.

My configuration is slightly different from this, so what I told you might not work for you because that's not exactly how mine is set up and I can't really check if everything I said is 100% correct right now (probably not, this stuff is complicated if you haven't much experience with it), so you'd have to experiment a little bit especially with what addresses you pass exactly to mkcert when generating the certificates. But you should be able to get it to work, in general this is the correct workflow. Tagging @GuilhermeSCLima in case he is still stuck on this step.

DNAMcKnight commented 2 years ago

Thank you for the response I'll give it a try and see how it goes. Appreciate the time you took to write all that!

binhex commented 1 year ago

So its now December and this is still a bug in the latest release (currently release v4.9.0), any news on when this might get fixed?, i see from here it was marked as a high priority.

jsjoeio commented 1 year ago

@binhex I think this is upstream and not something we will be able to fix unfortunately. See the "Known Issues" section in the latest release notes: https://github.com/coder/code-server/releases/tag/v4.9.0

RyanPhpJs commented 1 year ago

I had the same problem, but I managed to solve it by passing the certificate when starting the code-server

code-server . --cert certificate.crt --cert-key certificate.key

cupdike commented 1 year ago

Maybe use the --traditional flag for openssl 3 to get the "RSA" header of earlier versions:

$ openssl genrsa 1024 | grep BEGIN
-----BEGIN PRIVATE KEY-----
$ openssl genrsa --traditional 1024 | grep BEGIN
-----BEGIN RSA PRIVATE KEY-----

RobertCNelson commented 1 year ago

I'm seeing this with fresh installs on Debian 12.x (Bookworm) (4.15.0)

openssl version
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

code-asher commented 1 year ago

Looks like pem@1.14.8 is available so might be we just need to update.

victor141516 commented 1 year ago

I managed to workaround this without using mkcert. I made a wrapper for openssl that adds the --traditional flag when necessary, such that code-server is able to parse the output.

To use it, you first have to obtain the absolute path of the installed openssl:

which openssl

In my case it's installed at /home/victor141516/.linuxbrew/bin/openssl

You have to write that path into the wrapper:

#!/bin/sh

OPENSSL_BIN_PATH=/home/victor141516/.linuxbrew/bin/openssl  # change this line for your path

if [ $1 = "genrsa" ]; then
  shift
  exec $OPENSSL_BIN_PATH genrsa --traditional "$@"
else
  exec $OPENSSL_BIN_PATH "$@"
fi

Then:

Save that file with the name openssl
Give it execution permissions: chmod +x ./openssl
Add the path where the file is located to your PATH: export PATH="$(pwd):$PATH"

If you now run code-server, it should use the wrapper, generate the certificate correctly, and save it properly, so the next time you run code-server you shouldn't need to use the wrapper.

brynne8 commented 11 months ago

Please mark this issue as closed. Latest release fixed the issue.

coder / code-server