Skip to content

Add automatic TLS client certificate refresh support #732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
EhabY wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add automatic TLS client certificate refresh support #732

EhabY wants to merge 4 commits into from

Conversation

@EhabY
Copy link
Collaborator

@EhabY EhabY commented Jan 16, 2026
edited
Loading

Summary

  • Add automatic refresh and retry for failed TLS client certificate connections
  • Detect and classify SSL/TLS client certificate errors (expired, revoked, bad certificate, etc.)
  • New coder.tlsCertRefreshCommand setting to configure a refresh command (e.g., metatron refresh)
  • Consistently handle websocket errors across HTTP and WebSocket connections

Changes

Certificate Error Handling

  • Split CertificateError into ServerCertificateError (server cert issues) and ClientCertificateError (client cert
    issues)
  • Detect 7 SSL/TLS client certificate alert codes: expired, revoked, bad certificate, unknown, unsupported, unknown CA,
    and access denied. Also classify errors as "refreshable" (expired, revoked, bad, unknown) vs "non-refreshable" (unsupported, unknown CA, access denied)

Automatic Refresh & Retry

  • Automatically execute configured refresh command when refreshable certificate errors occur
  • Retry failed HTTP requests and WebSocket connections after refresh
  • Show user-friendly notifications with appropriate guidance based on error type

Code Quality

  • Add execCommand utility for shared command execution with proper logging
  • Improve websocket error handling consistency between HTTP and WebSocket paths

Fixed #714

@EhabY EhabY self-assigned this Jan 19, 2026
@EhabY EhabY force-pushed the automatic-mtls-refresh branch 3 times, most recently from e6ef17f to 871a6e4 Compare January 19, 2026 16:47
@EhabY EhabY changed the title Add automatic TLS client certificate refresh Add automatic TLS client certificate refresh support Jan 20, 2026
@EhabY EhabY force-pushed the automatic-mtls-refresh branch from 871a6e4 to bc732ea Compare January 20, 2026 09:43
johnstcn
johnstcn reviewed Jan 20, 2026
View reviewed changes
src/websocket/reconnectingWebSocket.ts Outdated
*/
private async attemptCertificateRefresh(): Promise<boolean> {
if (!this.#options.onCertificateExpired) {
return false;
Copy link
Member

@johnstcn johnstcn Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: How about we log that the cert is expired and there's nothing we can do about it because we haven't been told how to refresh the client cert?

Copy link
Collaborator Author

@EhabY EhabY Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We actually always pass a handler in production so I'll just make it required (we can pass () => false if need be)

CHANGELOG.md
### Fixed

- Fixed `SetEnv` SSH config parsing and accumulation with user-defined values.
- Improved WebSocket error handling for more consistent behavior across connection failures.
Copy link
Member

@johnstcn johnstcn Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: other PR?

Copy link
Collaborator Author

@EhabY EhabY Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in #732 (comment), this was always in issue but I only noticed it now when catching cert errors

EhabY added 4 commits January 20, 2026 17:48
@EhabY
Added support for automatically refreshing TLS client certificates wh…
2e9ea6e 
…en they fail

- New coder.tlsCertRefreshCommand setting to configure a refresh command (e.g., metatron refresh)
- Detects 7 SSL/TLS client certificate alert codes: expired, revoked, bad certificate, unknown, unsupported, unknown CA, and access denied
- Classifies errors as "refreshable" (expired, revoked, bad, unknown) vs "non-refreshable" (unsupported, unknown CA, access denied)
- Automatically executes refresh command and retries failed HTTP requests and WebSocket connections
- Shows user-friendly notifications with appropriate guidance based on error type
- Split CertificateError into ServerCertificateError (server cert issues) and ClientCertificateError (client cert issues)
- Added execCommand utility for shared command execution with proper logging
@EhabY
Consistently handle websocket errors
1d0ed23
@EhabY
Add changelog entry
bdfe1e3
@EhabY
Review comments uno
46800c3
@EhabY EhabY force-pushed the automatic-mtls-refresh branch from 0f9c982 to 46800c3 Compare January 20, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnstcn johnstcn johnstcn left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@EhabY EhabY

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add certificate refresh command support for expired client certificates

2 participants

@EhabY @johnstcn