Are you using a self-signed certificate? If so, you'll need to get a real one.

Can you elaborate on what you mean by not secure? Is HTTPS not active?

Are you using a self-signed certificate? If so, you'll need to get a real one.

What if I'm running on LAN? As far as I know CA cannot sign .local domains.

Are you using a self-signed certificate? If so, you'll need to get a real one.

What if I'm running on LAN? As far as I know CA cannot sign .local domains.

I'd assume you'd need to setup a local CA and add that to your OS. You should also be able to add self-signed certificates to your OS, such as shown here: https://www.humankode.com/asp-net-core/develop-locally-with-https-self-signed-certificates-and-asp-net-core

(Not tested)

Hello @mbreese, thanks for pitching in but the article you linked shares how to create a simple self-signed certificate (which is by definition not signed by a CA).

The problem here is not generating the certificate but the fact that in order to use code-server with iPadOS properly, an actual SSL certificate is needed.

My setup is a bit more involved than normal but basically I am running code-server on a Linux box that won’t have internet connection and would allow to use vscode via iPad connected through LAN. In this scenario having an actual certificate with a domain seems out of the question and while I understand the reasoning behind limiting certain features when a self signed cert is in place (MiM attacks and such) it would still be good to have an option for intranets.

No one ever mentioned iPadOS... that’s a bit different. But still doable. (Note: it’s recommended to use MDM for iOS).

https://support.apple.com/en-us/HT204477

You can still add the certificate to the OS so that it will be treated as trusted. The mechanism is different, but the same concept for iOS. This should still allow a self signed certificate to be used and trusted.

If you want to have multiple certificates, you should look into creating your own CA and then using that to sign your own certificates. This is pretty easy to do and there are tools available to help you manage it on Linux. The trick here is to add the CA’s certificate to each client OS (including iOS). This will by definition be a self-signed certificate.

I’ve done this for an enterprise install where our internal CA certificate gets added to each user’s system as part of deployment. Then we could issue our own certificates and have them trusted internally. This was a few years ago, so things may have changed a bit, but this is more common than you think.

Note: if you’re trying to prevent a MitM attack, you’d need some mechanism to either pin the certificate or establish that it is trusted. That’s true for a traditional server or an isolated network. Adding the certificate to the OS is one such mechanism.

Since iPadOS / iOS 13 there are a few more requirements for TLS server certificates to be trusted by iPadOS / iOS See https://support.apple.com/en-us/HT210176

If using openssl to issue a certificate, this blog post might help for these requirements: http://blog.nashcom.de/nashcomblog.nsf/dx/more-strict-server-certificate-handling-in-ios-13-macos-10.15.htm?opendocument&comments

On macOS the certificate assistent in Keychain Access.app let's you easily create your own CA and issue the certificates.

I have generated the certificate according to the specifications detailed by @lisanet (thanks a lot):

openssl req -x509 -nodes -days 399 -sha256 -newkey rsa:2048 -out /etc/ssl/localcerts/code.crt -keyout /etc/ssl/localcerts/code.key -config /etc/ssl/openssl.cnf -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:raspberrypi.local

When I dump the certificate, as far as I can see, it complies to all the requirements (some parts have been redacted with ......, the actual certificate has actual values):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ......
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ES, L = Barcelona, O = Andre INC, CN = raspberrypi.local, emailAddress = [email protected]
        Validity
            Not Before: May  3 15:26:21 2020 GMT
            Not After : Jun  6 15:26:21 2021 GMT
        Subject: C = ES, L = Barcelona, O = Andre INC, CN = raspberrypi.local, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    ......
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                ......
            X509v3 Authority Key Identifier: 
                keyid:......

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:raspberrypi.local
    Signature Algorithm: sha256WithRSAEncryption
         ...

I have then manually installed the certificate on the iPad as a profile and trusted it (thanks @mbreese) and now whenever I visit the host through Safari via HTTPS I don't get anymore any trust/security notice.

Unfortunately code-server shows me a white screen after login now but at least I know it's not a certificate issue as other issues claim.

You need to create your own CA and then create the TLS server certificate using your CA. The CA certificate has to be imported to iPadOS and has to be trusted as a profile and as a certification authority.

For use with code-server, add the CA certificate to the server certificate with
cat client.pem ca.pem > combined.pem
and use this combined.pem with code-servers --cert option.

That fixed the white screen issue on my iPad Pro, whereas only a single self-signed server certificate didn't work.

Could you please elaborate on how to do so through Keychain Access.app?
I had already tried after your first post to create a CA and the certificate but then resorted to openssl. I tried again to create both using Keychain Access > Certificate Assistant but perhaps I'm doing something wrong because I end up with ca.pem and client.cer (that I need to convert into pem) before merging them into combined.pem

Besides, when trying to start code-server with the --cert key and passing the combined.pem it asks me for the key.

Take a look at this: https://siber-sonic.com/mac/MailSMIME/CA.html although it seems outdated, it's still valid.

And please read some manual about openssl. openssl output is almost always in PEM format, so your *.crt is just a PEM file. (test it with the 'file client.crt' command). If it is not PEM, it's in DER format, which can be easily converted, see man openssl.

Well, if code-server complains about a missing key, add it with --cert-keyclient.key`

Every web server which uses TLS needs just 3 things. A server cert, the private key for this server cert, and the CA which has signed this server cert. Since code-server (and many others apps with included web servers) doesn't have an option to specify the CA cert, you need to combine it with the client cert. That's all.

Can you elaborate on what you mean by not secure? Is HTTPS not active?

HTTPS is active but it's showing unsecured connection while i'm browsing it on chrome.
i'm using valid certificate then also getting this unsecured connection warning. I resolved this issue while i used a valid url for this site insted of just browsing this site on IP address.

But my real problem is i need to use this inside my application where i will create new container of code-server on user request and this container will get created on azure container instance for each user separately. Now i tried to do this with "Enable a TLS endpoint in a sidecar container" using self-signed certificate and everything is working file except for the warning i'm getting of insecure connection. And this is a problem for me as my application is working on https it will not allow insecure site to get open inside it. Azure is only giving me one IP for browsing it's not giving me any DNS even if i'm giving "--dns-name-label" while i'm creating this container.

So is there any way i can make code-server secure just with IP address

It honestly sounds like you need to run this behind a reverse proxy. Then you can let the proxy handle the SSL termination and forwarding requests to your Azure containers. This is the easiest way to get SSL running with code-server anyway (IMO). You may still have issues with window.isSecureContext, but that will depend on how the proxy is setup.

To answer your specific question (and this is in no way code-server specific): you’re not going to get an IP address certificate issued to you for an ephemeral IP address you get from Azure. The only way you could potentially do it is with a self-signed CA certificate, but then you’ll still get end user warnings.

See this: https://www.geocerts.com/support/ip-address-in-ssl-certificate

You can have IP certificates, but no public CA would issue an IP certificate to an IP address you aren’t permanently assigned.

@lisanet Interesting, can you not add the self signed certificate as a trusted authority like you can on macOS?

@lisanet Interesting, can you not add the self signed certificate as a trusted authority like you can on macOS?

I couldn't get it to work. I've tried using macOS certificate assistant to create a self signed root certificate with all needed extensions. Although the certificate looks okay in macOS keychain and can be trusted there, it couldn't be trusted as a root CA on iPadOS.

Awesome, will add this to the FAQ and guide then!

That is interesting indeed, from the previous comments I was under the impression that it was supposed to work and tested and so I spent several hours trying to make it work.

@nhooyr Definitely something that should be added to the FAQs then!

That is interesting indeed, from the previous comments I was under the impression that it was supposed to work and tested and so I spent several hours trying to make it work.

Reading my comment again, it might be somewhat misleading.

A single self signed root certificate with the extension (SAN and TLS server) to use as the server certificate couldn't be trusted in iPadOS as a root certificate.

Generating a root CA in macOS certificate assistant and then generating a server certificate (with the needed extensions) signed by this root CA certificate will work. The root CA cert can be trusted in iPadOS.

Added a link to @lisanet's comment in the FAQ: https://github.com/cdr/code-server/blob/629645f55530c532bec841114bfda92550636afb/doc/FAQ.md#blank-screen-on-ipad

1678

@lisanet I created a CA in Certificate Assistant on the Mac. I generated a CSR using OpenSSL including the SAN (changed below to xxxxx.local):

Requested Extensions:
X509v3 Subject Alternative Name:
DNS:xxxxxxx.local
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication

The problem I seem to have is when I "Create a Certificate For Someone Else" in Certificate Assistant, it doesn't appear to honor the SAN entry in the generated certificate. Wondering if you saw this at all when you were working through this?

@LindsayWeir I didn't use a CSR.

I used in Certificate Assistant just the "Create a Certificate" menu item with an identity type of "Leaf" and "Certificate Type" of SSL-Server and checked the "let me override defaults" to get to the extended key usage options to fill in the DNS name.

Thanks Lisa, I was trying to use a CSR generated from OpenSSL. Let me try your way and see if that works.

@lisanet I was able to get the certificate signed and generated correctly. This is using .local for the signed certification. Were you seeing issues with copy/paste on the iPad after you got this all working? Any insights or workarounds? Thanks

nope, I couldn't get copy / paste to work.

I have tried all day to get copy/paste to work with no luck. This is super fuckin’ frustrating, can we just have an override option to allow forcing the session to be considered secure???

It’s out of our control, the browser controls the context and the APIs aren’t available in a non secure context.

https://github.com/cdr/code-server/issues/1362

@zkghost has reported success following this guide to setup a certificate without a CA

https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html

Tried this too but no luck. Now it stays blank for half of the times and the other half it gets to the editor and then disconnects after a few seconds.

And why are there no guides dedicated for iPadOS users like me?

There is. See https://github.com/cdr/code-server/blob/master/doc/guide.md

The lets encrypt option works well on iPad.

I think it's a good idea to collect all the iPad issues in a FAQ entry

https://github.com/cdr/code-server/issues/1816

@nhooyr and what about users who are on iPad and cannot expose the server (hence no LE)?

It would be great if the maintainers could either provide detailed instructions for this use case or finally state that this is not supported.

I for one, will for sure submit a PR with the instructions if I ever manage to make it work but so far I have followed all the procedures suggested by those who reported were able to make it run and were never able to make it run properly.

@dreamorosi if your server is not exposed to the internet, then what is your need for HTTPS? (just curious).

If anyone is interested in the specific steps for setting up certbot with auto-renewal on Ubuntu, I cover them here https://codetalk.io/posts/2020-03-20-Visual-Studio-Code-on-iPad.html#securing-the-setup-for-remote-access. Tested and works with iPad.

@Tehnix without HTTPS the clipboard is disabled by default, which makes the app whole IDE pretty unusable.

@dreamorosi Ah, I wasn't aware. That said, as far as I'm aware and according to https://github.com/cdr/code-server/issues/1015 the clipboard doesn't work at all on iPad.

It's a bit of an annoyance to be honest, I've currently resolved to using a VIM emulator (amVIM) to at least be able to yank and paste via that, since the plugin will manage the clipboard.

I for one, will for sure submit a PR with the instructions if I ever manage to make it work but so far I have followed all the procedures suggested by those who reported were able to make it run and were never able to make it run properly.

That's the problem. I can't verify any of these solutions yet either so we can't officially say whether it works or not.

My iPad Pro should be here tomorrow so I'll be able to fix this then.

Thanks for replying and fair enough. If you ever manage to make it work feel free to shout at me and let me know, in the meantime thanks a lot for the work you’ve put into this.

this is a rehash of the comment I left at Issue #1362 but since it's closed I post my comment here as well.

This is a walkthrough of the set-up that works for me on the local lan. The cert is created with the actual IP of the code-server hosting computer (a static IP).

sudo apt install nginx
sudo nano /etc/nginx/sites-available/code-server.conf

server {

listen 443 ssl;
server_name 192.168.x.xx; #use IP of the computer hosting code-server

location / {
  proxy_pass http://127.0.0.1:8080/;
  proxy_set_header Host $host;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection upgrade;
  access_log off;

ssl_certificate /etc/nginx/ssl/codeserver.crt;
ssl_certificate_key /etc/nginx/ssl/codeserver.key;

}

Save and close file.

sudo ln -s /etc/nginx/sites-available/code-server.conf /etc/nginx/sites-enabled/code-server.conf
sudo nginx -t #checks for errors
sudo systemctl start nginx

sudo mkdir /etc/nginx/ssl

cd ~/
cp /etc/ssl/openssl.cnf template.cnf
nano template.cnf

Find the section labelled v3_ca and add two lines:
subjectAltName = DNS:192.168.x.xx # replace 192.168.x.xx with IP of the computer hosting code-server
extendedKeyUsage = serverAuth

Find this comment and add the following line:
# Extension copying option: use with caution.
copy_extensions = copy

Save and close the template.cnf file.

sudo openssl req -x509 -nodes -days 825 -newkey rsa:2048 -config template.cnf -keyout /etc/nginx/ssl/codeserver.key -out /etc/nginx/ssl/codeserver.crt

answer this line as:
Common Name (e.g. server FQDN or YOUR name) []: 192.168.x.xx # replace 192.168.x.xx with IP of the computer hosting code-server

sudo systemctl reload nginx

On iPad
email (etc.) codeserver.crt
open attached codeserver.crt
go to Settings app --> General --> Profiles and install codeserver cert
go to Settings app --> General --> About --> Certificate Trust Settings --> enable full trust for codeserver cert

In Safari go to https://192.168.x.xx to access code-server.

*Note
code-server is started with --bind-addr 127.0.0.1:8080 or you can pass it via the below config file

~/.config/code-server/config.yaml has the following
bind-addr: 127.0.0.1:8080
auth: none
password: xxx
cert: false

Hope this helps anyone looking into this issue.

Thank you @xytzw for taking the time to write and post all this, unfortunately I was not able to reproduce what you are saying and make code-server work.

I tried a couple of times (always from scratch) to follow all the steps you suggest and unfortunately nothing works for me.
I have actually recorded my screen while doing the whole thing and I can post it here or elsewhere, if anyone is interested just let me know.

FYI, I self-signed a certificate on iOS 14 and seems working well, you have to enable full permissions to the certificate, but other that works as expected.

FYI, I self-signed a certificate on iOS 14 and seems working well, you have to enable full permissions to the certificate, but other that works as expected.

Do you have a guide for this @DAddYE ?

FYI, I self-signed a certificate on iOS 14 and seems working well, you have to enable full permissions to the certificate, but other that works as expected.

Do you have a guide for this @DAddYE ?

Yes, I followed this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html

Do not forget a few things:

1. From iPad don't use the local ip rather the local-name.local to reach your https server.
2. If out of network setup a tunnel with Blink (terminal for iPad) or similar apps, pay attention that only Blink has the ability to run in background and keep the tunnel open (see their docs for how to but you need to enable location tracking).
3. Once you install the certificate, don't forget to go to "Settings->General->Profiles" and enable full access to the new installed profile.
4. Add a home shortcut to enjoy a rather nice full screen experience:

I hope it helps!

@DAddYE so copy and paste works after everything? Thanks.

@snazzybunny you have to edit lib/vscode/src/vs/editor/browser/controller/textAreaHandler.ts, comment/remove line 186:

if (browser.isIPad) {                                                                                           
       // Do not place anything in the textarea for the iPad                                                   
       // return TextAreaState.EMPTY;                                                                          
}

No clue why they had such return TextAreaState.EMPTY in the first place.

NOTE: On the very very last iOS beta, I think there is a bug in the os, if you copy/paste within vscode works, but if you copy from an app to another, most of the time doesn't work (I think is the new privacy thing), however, a simple cmd+shift+v solve the trick.

Thanks @DAddYE. Is there any guide on how to do that? I'm assuming I need recompile it with the changes but I used the install script on a ubuntu vm. Works on my side with LetsEncrypt I didnt even need to import the CA certs to my ipad. My copy paste isnt working from within vscode but I'm guessing your fix would do it.

Thanks @DAddYE. Is there any guide on how to do that? I'm assuming I need recompile it with the changes but I used the install script on a ubuntu vm. Works on my side with LetsEncrypt I didnt even need to import the CA certs to my ipad. My copy paste isnt working from within vscode but I'm guessing your fix would do it.

They have good guides here: https://github.com/cdr/code-server/blob/v3.4.1/doc/CONTRIBUTING.md#build

The upstream vscode on July 3 pushed the fix posted above https://github.com/microsoft/vscode/commit/b3fba742c5846997eb7ef1f36a1860588eff681a, however, no idea when will land on here.

@snazzybunny you have to edit lib/vscode/src/vs/editor/browser/controller/textAreaHandler.ts, comment/remove line 186:

if (browser.isIPad) {                                                                                           
       // Do not place anything in the textarea for the iPad                                                   
       // return TextAreaState.EMPTY;                                                                          
}

No clue why they had such return TextAreaState.EMPTY in the first place.

NOTE: On the very very last iOS beta, I think there is a bug in the os, if you copy/paste within vscode works, but if you copy from an app to another, most of the time doesn't work (I think is the new privacy thing), however, a simple cmd+_shift_+v solve the trick.

The copy/paste bug disappeared in the latest beta.

@DAddYE thanks for pointing me in the right direction. Everything seems to be working fine now after the edit and update to latest beta!

@DAddYE I noticed that there is no paste button on Windows or Mac. It does however appear on the ipad. I suppose the code-server should strictly be for the ipad eh. Has anyone had the same issue where the paste button doesn't appear when you right click? Thanks.

Mmm works for me using cmd+c or cmd+v

Make sure you have the right keybidnings for your environment (mac) and
(ipad)

On Tue, Sep 1, 2020 at 5:54 PM Andrew Phan notifications@github.com wrote:

>
>

@DAddYE https://github.com/DAddYE I noticed that there is no paste
button on Windows or Mac. It does however appear on the ipad. I suppose the
code-server should strictly be for the ipad eh. Has anyone had the same
issue where the paste button doesn't appear when you right click? Thanks.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cdr/code-server/issues/1566#issuecomment-685213622,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAABTCJYM7TL2ATOQCNFJHLSDWJVVANCNFSM4MSQHNHQ
.

There is an easy way to fix most of the above issues without any custom CA hacks. Point your domain (or sub domain) at your internal ip (such as SSH tunnels, one of those BeyondCorp VPNs like Zerotier or Tailscale, or simply localhost). Then in Caddy activate DNS-01 challenge. This does not require Caddy to be actually reachable at the domain, it just has to call the API of your registrar using one of the modules such as https://github.com/caddy-dns/cloudflare. The DNS registrar can be thought as a key-value store, your browser would be able to resolve and access the internal ip but nobody else can.

FYI, I self-signed a certificate on iOS 14 and seems working well, you have to enable full permissions to the certificate, but other that works as expected.

Do you have a guide for this @DAddYE ?

Yes, I followed this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html

Do not forget a few things:

1. From iPad don't use the local ip rather the `local-name.local` to reach your https server.

2. If out of network setup a tunnel with `Blink` (terminal for iPad) or similar apps, pay attention that only Blink has the ability to run in background and keep the tunnel open (see their docs for how to but you need to enable location tracking).

3. Once you install the certificate, don't forget to go to "Settings->General->Profiles" and enable `full access` to the new installed profile.

4. Add a home shortcut to enjoy a rather nice full screen experience:

I hope it helps!

@DAddYE I ended up following your advice and the instructions you linked from 7402.org and this was working great for iOS 13, but now that I've updated my device to iOS 14 my certs no longer pass validation. Did you have any issues getting certs to pass on your iOS 14 devices?

• I already enabled full trust for the root cert from Settings > About > Certificate Trust Settings
• This was working in iOS 13.7 but not iOS 14

Please take a look at my openssl config:

[ ca ]
default_ca = CA_default

[ CA_default ]
default_md = sha256
default_days = 397
x509_extensions = usr_cert

[ req ]
default_bits        = 4096
default_md      = sha256
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
copy_extensions = copy

[ usr_cert ]
basicConstraints=CA:TRUE

[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints = CA:TRUE
subjectAltName = DNS:10.0.1.10
extendedKeyUsage = serverAuth

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
organizationalUnitName      = Organizational Unit Name (eg, section)
commonName          = Common Name (eg, fully qualified host name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

Hmm I did not need to add any CAs to my Ipad and everything is working fine except scrolling. Copy, cut and paste works as well. I have a reverse proxy nginx server with LetsEncrypt. Copied the certs from the nginx server to my code-server machine and added this to my config.yaml in ~/.config/code-server:

cert: /home/meow/.code-server-meta/cert.pem
cert-key: /home/meow/.code-server-meta/key.pem

You need to obviously change the cert and cert-key location to wherever your LetsEncrypt cert and key is located.

Anyone else here have issues with scrolling using a magic keyboard? I have to manually click on the scroll bar and drag in order to scroll. Alternatively you can press cmd+down, which mimics the page down button.

I updated by checking out the latest version and packaged it then installed the new .deb file and it updated from 3.4.1 to 3.5.0. All extensions and settings were preserved as theyre stored in ~/.local/share/code-server.

Hi,

sorry for the late reply. Works perfectly on my end, here my config:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key

x509_extensions = usr_cert # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext

default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64

emailAddress = Email Address
emailAddress_max = 64

# SET-ex3 = SET extension number 3

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

basicConstraints = critical,CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
subjectAltName = DNS:daddye.local
extendedKeyUsage = serverAuth
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1 # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests
(mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)

The second thing I would check is that your code serves correctly bind your
local address, because one of the recent upgrades in vscode broke it, so I
had to instead to use the local domain, to pass the local IP:

➜ co ~/.config/code-server/config.yaml

bind-addr: 192.168.140.5:8080
auth: none
password: 0f0e1a797b62c3236d0d2888
cert: /Users/daddye/work/daddye.crt
cert-key: /Users/daddye/work/daddye.key

On Fri, Sep 18, 2020 at 3:30 PM Doug Sheridan notifications@github.com
wrote:

FYI, I self-signed a certificate on iOS 14 and seems working well, you
have to enable full permissions to the certificate, but other that works as
expected.

Do you have a guide for this @DAddYE https://github.com/DAddYE ?

Yes, I followed this:
https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html

Do not forget a few things:

1. From iPad don't use the local ip rather the local-name.local to reach your https server.

2. If out of network setup a tunnel with Blink (terminal for iPad) or similar apps, pay attention that only Blink has the ability to run in background and keep the tunnel open (see their docs for how to but you need to enable location tracking).

3. Once you install the certificate, don't forget to go to "Settings->General->Profiles" and enable full access to the new installed profile.

4. Add a home shortcut to enjoy a rather nice full screen experience:

[image: PNG image]
https://user-images.githubusercontent.com/6537/88426313-d0869400-cda5-11ea-9144-7b9882a3f089.png

I hope it helps!

@DAddYE https://github.com/DAddYE I ended up following your advice and
the instructions you linked from 7402.org and this was working great for
iOS 13, but now that I've updated my device to iOS 14 my certs no longer
pass validation. Did you have any issues getting certs to pass on your iOS
14 devices?

• I already enabled full trust for the root cert from Settings > About
  > Certificate Trust Settings
• This was working in iOS 13.7 but not iOS 14

Please take a look at my openssl config:

[ ca ]
default_ca = CA_default

[ CA_default ]
default_md = sha256
default_days = 397
x509_extensions = usr_cert

[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
copy_extensions = copy

[ usr_cert ]
basicConstraints=CA:TRUE

[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints = CA:TRUE
subjectAltName = DNS:10.0.1.10
extendedKeyUsage = serverAuth

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cdr/code-server/issues/1566#issuecomment-695113844,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAABTCM65UILKNG4MONOJYTSGPNQBANCNFSM4MSQHNHQ
.

We’re making it easier to access your code-server instance securely from any device. We’ve eliminated the need for configuring TLS, domain registration, DNS, DoS protection, and authentication. To gain pre-release access, please consider joining our alpha program.

cc @DAddYE @mbreese @Tehnix @lisanet @dsherida @dreamorosi

This has been done and will be in the next release!

See https://github.com/cdr/code-server/blob/master/doc/ipad.md#how-to-access-code-server-with-a-self-signed-certificate-on-ipad