src/node/util.ts: Make certificate generation "modern"

Now we add a subject alt name, set extendedKeyUsage and use the correct certificate extension. The above allow it to be properly trusted by iOS. See https://support.apple.com/en-us/HT210176 *.cert isn't a real extension for certificates, *.crt is correct for it to be recognized by e.g. keychain or when importing as a profile into iOS. Updates #1566 I've been able to successfully connect from my iPad Pro now to my code-server instance with a self signed certificate! Next commit will be docs.
2020-10-30 04:35:08 -04:00 · 2020-10-30 04:35:08 -04:00 · 8b85006996
commit 8b85006996
parent 10b3028196
2 changed files with 21 additions and 5 deletions
--- a/doc/FAQ.md
+++ b/doc/FAQ.md
@ -145,7 +145,7 @@ pass in an existing certificate by providing the path to `--cert` and the path t
 the key with `--cert-key`.

 The self signed certificate will be generated into
-`~/.local/share/code-server/self-signed.cert`.
+`~/.local/share/code-server/self-signed.crt`.

 If `code-server` has been passed a certificate it will also respond to HTTPS
 requests and will redirect all HTTP requests to HTTPS.
--- a/src/node/util.ts
+++ b/src/node/util.ts
@ -55,7 +55,7 @@ export function humanPath(p?: string): string {
 }

 export const generateCertificate = async (): Promise<{ cert: string; certKey: string }> => {
-  const certPath = path.join(paths.data, "self-signed.cert")
+  const certPath = path.join(paths.data, "self-signed.crt")
  const certKeyPath = path.join(paths.data, "self-signed.key")

  const checks = await Promise.all([fs.pathExists(certPath), fs.pathExists(certKeyPath)])
@ -64,9 +64,25 @@ export const generateCertificate = async (): Promise<{ cert: string; certKey: st
    // generate certificates.
    const pem = require("pem") as typeof import("pem")
    const certs = await new Promise<import("pem").CertificateCreationResult>((resolve, reject): void => {
-      pem.createCertificate({ selfSigned: true }, (error, result) => {
-        return error ? reject(error) : resolve(result)
-      })
+      pem.createCertificate(
+        {
+          selfSigned: true,
+          config: `
+[req]
+req_extensions = v3_req
+
+[ v3_req ]
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+`,
+        },
+        (error, result) => {
+          return error ? reject(error) : resolve(result)
+        },
+      )
    })
    await fs.mkdirp(paths.data)
    await Promise.all([fs.writeFile(certPath, certs.certificate), fs.writeFile(certKeyPath, certs.serviceKey)])