Added support for automatically refreshing TLS client certificates when they fail

- New coder.tlsCertRefreshCommand setting to configure a refresh command (e.g., metatron refresh)
- Detects 7 SSL/TLS client certificate alert codes: expired, revoked, bad certificate, unknown, unsupported, unknown CA, and access denied
- Classifies errors as "refreshable" (expired, revoked, bad, unknown) vs "non-refreshable" (unsupported, unknown CA, access denied)
- Automatically executes refresh command and retries failed HTTP requests and WebSocket connections
- Shows user-friendly notifications with appropriate guidance based on error type
- Split CertificateError into ServerCertificateError (server cert issues) and ClientCertificateError (client cert issues)
- Added execCommand utility for shared command execution with proper logging

Author: EhabY

package.json

@@ -92,6 +92,11 @@
 					"type": "string",
 					"default": ""
 				},
+				"coder.tlsCertRefreshCommand": {
+					"markdownDescription": "Command to run when TLS client certificates expire (e.g., `metatron refresh`). If configured, the extension will automatically execute this command and retry failed requests. `http.proxySupport` must be set to `on` or `off`, otherwise VS Code will override the proxy agent set by the plugin.",
+					"type": "string",
+					"default": ""
+				},
 				"coder.proxyLogDirectory": {
 					"markdownDescription": "If set, the Coder CLI will output extra SSH information into this directory, which can be helpful for debugging connectivity issues.",
 					"type": "string",

src/api/certificateRefresh.ts

@@ -0,0 +1,30 @@
+import * as vscode from "vscode";
+
+import { execCommand } from "../command/exec";
+import { type Logger } from "../logging/logger";
+
+/**
+ * Returns the configured certificate refresh command, or undefined if not set.
+ */
+export function getRefreshCommand(): string | undefined {
+	return (
+		vscode.workspace
+			.getConfiguration()
+			.get<string>("coder.tlsCertRefreshCommand")
+			?.trim() || undefined
+	);
+}
+
+/**
+ * Executes the certificate refresh command.
+ * Returns true if successful, false otherwise.
+ */
+export async function refreshCertificates(
+	command: string,
+	logger: Logger,
+): Promise<boolean> {
+	const result = await execCommand(command, logger, {
+		title: "Certificate refresh",
+	});
+	return result.success;
+}

src/api/coderApi.ts

@@ -17,8 +17,9 @@ import * as vscode from "vscode";
 import { type ClientOptions } from "ws";
 
 import { watchConfigurationChanges } from "../configWatcher";
-import { CertificateError } from "../error/certificateError";
+import { ClientCertificateError } from "../error/clientCertificateError";
 import { toError } from "../error/errorUtils";
+import { ServerCertificateError } from "../error/serverCertificateError";
 import { getHeaderCommand, getHeaders } from "../headers";
 import { EventStreamLogger } from "../logging/eventStreamLogger";
 import {
@@ -49,6 +50,7 @@ import {
 } from "../websocket/reconnectingWebSocket";
 import { SseConnection } from "../websocket/sseConnection";
 
+import { getRefreshCommand, refreshCertificates } from "./certificateRefresh";
 import { createHttpAgent } from "./utils";
 
 const coderSessionTokenHeader = "Coder-Session-Token";
@@ -440,7 +442,15 @@ export class CoderApi extends Api implements vscode.Disposable {
 		const reconnectingSocket = await ReconnectingWebSocket.create<TData>(
 			socketFactory,
 			this.output,
-			undefined,
+			{
+				onCertificateExpired: async () => {
+					const refreshCommand = getRefreshCommand();
+					if (!refreshCommand) {
+						return false;
+					}
+					return refreshCertificates(refreshCommand, this.output);
+				},
+			},
 			() => this.reconnectingSockets.delete(reconnectingSocket),
 		);
 
@@ -479,16 +489,53 @@ function setupInterceptors(client: CoderApi, output: Logger): void {
 		return config;
 	});
 
-	// Wrap certificate errors.
+	// Wrap certificate errors and handle client certificate errors with refresh.
 	client.getAxiosInstance().interceptors.response.use(
 		(r) => r,
-		async (err) => {
+		async (err: unknown) => {
+			const refreshCommand = getRefreshCommand();
+			const certError = ClientCertificateError.fromError(err);
+			if (certError) {
+				if (certError.isRefreshable && refreshCommand) {
+					const config = (
+						err as {
+							config?: RequestConfigWithMeta & {
+								_certRetried?: boolean;
+							};
+						}
+					).config;
+
+					if (config && !config._certRetried) {
+						config._certRetried = true;
+
+						output.info(
+							`Client certificate error (alert ${certError.alertCode}), attempting refresh...`,
+						);
+						const success = await refreshCertificates(refreshCommand, output);
+						if (success) {
+							// Create new agent with refreshed certificates.
+							const agent = await createHttpAgent(
+								vscode.workspace.getConfiguration(),
+							);
+							config.httpsAgent = agent;
+							config.httpAgent = agent;
+
+							// Retry the request.
+							output.info("Retrying request with refreshed certificates...");
+							return client.getAxiosInstance().request(config);
+						}
+					}
+				}
+
+				throw certError;
+			}
+
+			// Handle other certificate errors.
 			const baseUrl = client.getAxiosInstance().defaults.baseURL;
 			if (baseUrl) {
-				throw await CertificateError.maybeWrap(err, baseUrl, output);
-			} else {
-				throw err;
+				throw await ServerCertificateError.maybeWrap(err, baseUrl, output);
 			}
+			throw err;
 		},
 	);
 }

src/command/exec.ts

@@ -0,0 +1,74 @@
+import * as cp from "node:child_process";
+import * as util from "node:util";
+
+import { type Logger } from "../logging/logger";
+
+interface ExecException {
+	code?: number;
+	stderr?: string;
+	stdout?: string;
+}
+
+function isExecException(err: unknown): err is ExecException {
+	return (err as ExecException).code !== undefined;
+}
+
+export interface ExecCommandOptions {
+	env?: NodeJS.ProcessEnv;
+	/** Title for logging (e.g., "Header command", "Certificate refresh"). */
+	title?: string;
+}
+
+export type ExecCommandResult =
+	| { success: true; stdout: string; stderr: string }
+	| { success: false; stdout?: string; stderr?: string; exitCode?: number };
+
+/**
+ * Execute a shell command and return result with success/failure.
+ * Handles errors gracefully and logs appropriately.
+ */
+export async function execCommand(
+	command: string,
+	logger: Logger,
+	options?: ExecCommandOptions,
+): Promise<ExecCommandResult> {
+	const title = options?.title ?? "Command";
+	logger.debug(`Executing ${title}: ${command}`);
+
+	try {
+		const result = await util.promisify(cp.exec)(command, {
+			env: options?.env,
+		});
+		logger.debug(`${title} completed successfully`);
+		if (result.stdout) {
+			logger.debug(`${title} stdout:`, result.stdout);
+		}
+		if (result.stderr) {
+			logger.debug(`${title} stderr:`, result.stderr);
+		}
+		return {
+			success: true,
+			stdout: result.stdout,
+			stderr: result.stderr,
+		};
+	} catch (error) {
+		if (isExecException(error)) {
+			logger.warn(`${title} failed with exit code ${error.code}`);
+			if (error.stdout) {
+				logger.warn(`${title} stdout:`, error.stdout);
+			}
+			if (error.stderr) {
+				logger.warn(`${title} stderr:`, error.stderr);
+			}
+			return {
+				success: false,
+				stdout: error.stdout,
+				stderr: error.stderr,
+				exitCode: error.code,
+			};
+		}
+
+		logger.warn(`${title} failed:`, error);
+		return { success: false };
+	}
+}