[Bug]: --cert does not work on Windows

[sun-rs]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Edge
• Local OS: Win11
• Remote OS: Android
• Remote Architecture:
• code-server --version: 4.9.1

Steps to Reproduce

1. run code-server --port 8090 --host 0.0.0.0 works well but only jupyter notebook not work. So try https.
2. run code-server --port 8090 --host 0.0.0.0 --cert ../san_domain_com.crt --cert-key ../san_domain_com.key
3. open https url in browser

Expected

Enter the password and then show vscode gui

Actual

The page is blank empty and powershell get some error.

Logs

[2023-02-15T08:06:43.351Z] info  code-server 4.9.1 f7989a4dfcf21085e52157a01924d79d708bcc05
[2023-02-15T08:06:43.352Z] info  Using user-data-dir ~\AppData\Local\code-server\Data
[2023-02-15T08:06:43.372Z] info  Using config file ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T08:06:43.372Z] info  HTTPS server listening on https://0.0.0.0:8080/
[2023-02-15T08:06:43.372Z] info    - Authentication is enabled
[2023-02-15T08:06:43.372Z] info      - Using password from ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T08:06:43.372Z] info    - Using certificate for HTTPS: D:\SUN\web\san_domain_com.crt
[16:07:03]




[16:07:03] Extension host agent started.
[2023-02-15T08:07:04.413Z] error child:91736 Uncaught exception: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
[2023-02-15T08:07:04.413Z] error child:91736 Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
    at Server.setupListenHandle [as _listen2] (node:net:1446:21)
    at listenInCluster (node:net:1511:12)
    at Server.listen (node:net:1610:5)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
    at new Promise (<anonymous>)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28
[16:07:04] Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
    at Server.setupListenHandle [as _listen2] (node:net:1446:21)
    at listenInCluster (node:net:1511:12)
    at Server.listen (node:net:1610:5)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
    at new Promise (<anonymous>)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28 {
  code: 'EACCES',
  errno: -4092,
  syscall: 'listen',
  address: 'C:\\Users\\cceva\\AppData\\Local\\Temp\\code-server\\tls-proxy',
  port: -1
}

Screenshot/Video

No response

Does this issue happen in VS Code or GitHub Codespaces?

• I cannot reproduce this in VS Code.
• I cannot reproduce this in GitHub Codespaces.

Are you accessing code-server over HTTPS?

• I am using HTTPS.

Notes

No response

[bala]

@longilacus could you please try to run code-server on a powershell with admin privilege?

[sun-rs]

@longilacus could you please try to run code-server on a powershell with admin privilege?

I have tried powershell with admin privilege, but still gor the blank page. Run with code-server --port 8080 --host 0.0.0.0 directly works well only with jupyter not work.

PS D:\sun\web>  code-server --port 8080 --host 0.0.0.0 --cert san_domain_com.crt --cert-key san_domain_com.key
[2023-02-15T14:47:48.108Z] info  code-server 4.9.1 f7989a4dfcf21085e52157a01924d79d708bcc05
[2023-02-15T14:47:48.109Z] info  Using user-data-dir ~\AppData\Local\code-server\Data
[2023-02-15T14:47:48.128Z] info  Using config file ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T14:47:48.128Z] info  HTTPS server listening on https://0.0.0.0:8080/
[2023-02-15T14:47:48.128Z] info    - Authentication is enabled
[2023-02-15T14:47:48.128Z] info      - Using password from ~\AppData\Roaming\code-server\Config\config.yaml
[2023-02-15T14:47:48.128Z] info    - Using certificate for HTTPS: D:\sun\web\san_domain_com.crt
[22:47:48]




[22:47:48] Extension host agent started.
[2023-02-15T14:47:48.417Z] error child:95828 Uncaught exception: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
[2023-02-15T14:47:48.417Z] error child:95828 Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
    at Server.setupListenHandle [as _listen2] (node:net:1446:21)
    at listenInCluster (node:net:1511:12)
    at Server.listen (node:net:1610:5)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
    at new Promise (<anonymous>)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28
[22:47:48] Error: listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy
    at Server.setupListenHandle [as _listen2] (node:net:1446:21)
    at listenInCluster (node:net:1511:12)
    at Server.listen (node:net:1610:5)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:114:37
    at new Promise (<anonymous>)
    at C:\Users\cceva\AppData\Roaming\nvm\v16.19.0\node_modules\code-server\out\node\socket.js:111:28 {
  code: 'EACCES',
  errno: -4092,
  syscall: 'listen',
  address: 'C:\\Users\\cceva\\AppData\\Local\\Temp\\code-server\\tls-proxy',
  port: -1
}

[bala]

@longilacus please paste output of below command from your cmd prompt in admin mode - netsh interface ipv4 show excludedportrange protocol=tcp

also could you please try to change the port from 8080 to something random (may be 32654 )while using the certificate.

[sun-rs]

@longilacus please paste output of below command from your cmd prompt in admin mode - netsh interface ipv4 show excludedportrange protocol=tcp

also could you please try to change the port from 8080 to something random (may be 32654 )while using the certificate.

开始端口    结束端口
----------    --------
      5357        5357
      5426        5426
     50000       50059     *
     54235       54235
     54236       54236

I tried other port like 8111, 27089, 32654. Still got Error: listen EACCES: permission denied

[bala]

listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy

Just to begin the debugging, do you have any VPN clients installed?

[sun-rs]

listen EACCES: permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy

Just to begin the debugging, do you have any VPN clients installed?

Yes, I have a clash VPN installed. Just tested that with VPN running or exit makes no difference.

Because permission denied C:\Users\cceva\AppData\Local\Temp\code-server\tls-proxy, I checked C:\Users\cceva\AppData\Local\Temp\code-server, and it's an empty folder.

When using --cer and --cert-key to start conde-server, the password input would show, but after click summit button, it become blank page.

[code-asher]

Hmm yeah code-server needs to create that tls-proxy socket so if it lacks permissions TLS will not work.

[code-asher]

If possible I would recommend using something else to handle TLS termination like a reverse proxy such as Caddy, NGINX, etc.

[code-asher]

Ah but since this happens even with admin I think it is possible this code needs to be reworked to work on Windows. I think you have to use named pipes instead of Unix sockets and they have to start with \\.\pipe\ or something.

[wg96]

If possible I would recommend using something else to handle TLS termination like a reverse proxy such as Caddy, NGINX, etc.

I met the same TLS permission problem in Windows both in admin/general user. I followed your advice and use NGINX. Then code-server can work well and there's no permission problems.

[Juesto]

Ah but since this happens even with admin I think it is possible this code needs to be reworked to work on Windows. I think you have to use named pipes instead of Unix sockets and they have to start with \\.\pipe\ or something.

yes and no, there's partial support for unix sockets since windows 10 1803.
as per #6569 apparently now the ipc socket creation is failing

[lprhodes]

Just came across this myself, I'd been trying to avoid WSL but I guess that's the next step. A note about this could be useful in the docs.

[code-asher]

Merging this into the Windows support issue: #1397