Add automatic TLS client certificate refresh

Add new setting `coder.tlsCertRefreshCommand` that specifies a command
to run when TLS client certificates expire (e.g., `metatron refresh`).
When configured, the extension automatically executes the command and
retries failed requests.

- Detect certificate expiration errors (SSLV3_ALERT_CERTIFICATE_EXPIRED)
- Retry HTTP requests with refreshed certificates on expiration
- Handle WebSocket certificate expiration with refresh and reconnect
- Split CertificateError into ServerCertificateError and ClientCertificateError
- Extract shared command execution logic into execCommand utility

Author: EhabY

package.json

@@ -92,6 +92,11 @@
 					"type": "string",
 					"default": ""
 				},
+				"coder.tlsCertRefreshCommand": {
+					"markdownDescription": "Command to run when TLS client certificates expire (e.g., `metatron refresh`). If configured, the extension will automatically execute this command and retry failed requests. `http.proxySupport` must be set to `on` or `off`, otherwise VS Code will override the proxy agent set by the plugin.",
+					"type": "string",
+					"default": ""
+				},
 				"coder.proxyLogDirectory": {
 					"markdownDescription": "If set, the Coder CLI will output extra SSH information into this directory, which can be helpful for debugging connectivity issues.",
 					"type": "string",

src/api/certificateRefresh.ts

@@ -0,0 +1,30 @@
+import * as vscode from "vscode";
+
+import { execCommand } from "../command/exec";
+import { type Logger } from "../logging/logger";
+
+/**
+ * Returns the configured certificate refresh command, or undefined if not set.
+ */
+export function getRefreshCommand(): string | undefined {
+	return (
+		vscode.workspace
+			.getConfiguration()
+			.get<string>("coder.tlsCertRefreshCommand")
+			?.trim() || undefined
+	);
+}
+
+/**
+ * Executes the certificate refresh command.
+ * Returns true if successful, false otherwise.
+ */
+export async function refreshCertificates(
+	command: string,
+	logger: Logger,
+): Promise<boolean> {
+	const result = await execCommand(command, logger, {
+		title: "Certificate refresh",
+	});
+	return result.success;
+}

src/api/coderApi.ts

@@ -17,8 +17,9 @@ import * as vscode from "vscode";
 import { type ClientOptions } from "ws";
 
 import { watchConfigurationChanges } from "../configWatcher";
-import { CertificateError } from "../error/certificateError";
+import { ClientCertificateError } from "../error/clientCertificateError";
 import { toError } from "../error/errorUtils";
+import { ServerCertificateError } from "../error/serverCertificateError";
 import { getHeaderCommand, getHeaders } from "../headers";
 import { EventStreamLogger } from "../logging/eventStreamLogger";
 import {
@@ -49,6 +50,7 @@ import {
 } from "../websocket/reconnectingWebSocket";
 import { SseConnection } from "../websocket/sseConnection";
 
+import { getRefreshCommand, refreshCertificates } from "./certificateRefresh";
 import { createHttpAgent } from "./utils";
 
 const coderSessionTokenHeader = "Coder-Session-Token";
@@ -440,7 +442,15 @@ export class CoderApi extends Api implements vscode.Disposable {
 		const reconnectingSocket = await ReconnectingWebSocket.create<TData>(
 			socketFactory,
 			this.output,
-			undefined,
+			{
+				onCertificateExpired: async () => {
+					const refreshCommand = getRefreshCommand();
+					if (!refreshCommand) {
+						return false;
+					}
+					return refreshCertificates(refreshCommand, this.output);
+				},
+			},
 			() => this.reconnectingSockets.delete(reconnectingSocket),
 		);
 
@@ -479,16 +489,48 @@ function setupInterceptors(client: CoderApi, output: Logger): void {
 		return config;
 	});
 
-	// Wrap certificate errors.
+	// Wrap certificate errors and handle certificate expiration with refresh.
 	client.getAxiosInstance().interceptors.response.use(
 		(r) => r,
-		async (err) => {
+		async (err: unknown) => {
+			// Check for certificate expiration error first.
+			if (ClientCertificateError.isExpiredError(err)) {
+				const axiosErr = err as {
+					config?: RequestConfigWithMeta & { __certRetried?: boolean };
+				};
+				const config = axiosErr.config;
+				const refreshCommand = getRefreshCommand();
+
+				// Only retry once per request.
+				if (refreshCommand && config && !config.__certRetried) {
+					config.__certRetried = true;
+
+					output.info("Certificate expired, attempting refresh...");
+					const success = await refreshCertificates(refreshCommand, output);
+					if (success) {
+						// Create new agent with refreshed certificates.
+						const agent = await createHttpAgent(
+							vscode.workspace.getConfiguration(),
+						);
+						config.httpsAgent = agent;
+						config.httpAgent = agent;
+
+						// Retry the request.
+						output.info("Retrying request with refreshed certificates...");
+						return client.getAxiosInstance().request(config);
+					}
+				}
+
+				// Throw user-friendly error.
+				throw new ClientCertificateError(toError(err), !refreshCommand);
+			}
+
+			// Handle other certificate errors.
 			const baseUrl = client.getAxiosInstance().defaults.baseURL;
 			if (baseUrl) {
-				throw await CertificateError.maybeWrap(err, baseUrl, output);
-			} else {
-				throw err;
+				throw await ServerCertificateError.maybeWrap(err, baseUrl, output);
 			}
+			throw err;
 		},
 	);
 }

src/command/exec.ts

@@ -0,0 +1,74 @@
+import * as cp from "node:child_process";
+import * as util from "node:util";
+
+import { type Logger } from "../logging/logger";
+
+interface ExecException {
+	code?: number;
+	stderr?: string;
+	stdout?: string;
+}
+
+function isExecException(err: unknown): err is ExecException {
+	return (err as ExecException).code !== undefined;
+}
+
+export interface ExecCommandOptions {
+	env?: NodeJS.ProcessEnv;
+	/** Title for logging (e.g., "Header command", "Certificate refresh"). */
+	title?: string;
+}
+
+export type ExecCommandResult =
+	| { success: true; stdout: string; stderr: string }
+	| { success: false; stdout?: string; stderr?: string; exitCode?: number };
+
+/**
+ * Execute a shell command and return result with success/failure.
+ * Handles errors gracefully and logs appropriately.
+ */
+export async function execCommand(
+	command: string,
+	logger: Logger,
+	options?: ExecCommandOptions,
+): Promise<ExecCommandResult> {
+	const title = options?.title ?? "Command";
+	logger.debug(`Executing ${title}: ${command}`);
+
+	try {
+		const result = await util.promisify(cp.exec)(command, {
+			env: options?.env,
+		});
+		logger.debug(`${title} completed successfully`);
+		if (result.stdout) {
+			logger.debug(`${title} stdout:`, result.stdout);
+		}
+		if (result.stderr) {
+			logger.debug(`${title} stderr:`, result.stderr);
+		}
+		return {
+			success: true,
+			stdout: result.stdout,
+			stderr: result.stderr,
+		};
+	} catch (error) {
+		if (isExecException(error)) {
+			logger.warn(`${title} failed with exit code ${error.code}`);
+			if (error.stdout) {
+				logger.warn(`${title} stdout:`, error.stdout);
+			}
+			if (error.stderr) {
+				logger.warn(`${title} stderr:`, error.stderr);
+			}
+			return {
+				success: false,
+				stdout: error.stdout,
+				stderr: error.stderr,
+				exitCode: error.code,
+			};
+		}
+
+		logger.warn(`${title} failed:`, error);
+		return { success: false };
+	}
+}

src/error/certificateError.ts

@@ -1,164 +1,14 @@
-import {
-	X509Certificate,
-	KeyUsagesExtension,
-	KeyUsageFlags,
-} from "@peculiar/x509";
-import { isAxiosError } from "axios";
-import * as tls from "node:tls";
-import * as vscode from "vscode";
-
-import { type Logger } from "../logging/logger";
-
-import { toError } from "./errorUtils";
-
-// X509_ERR_CODE represents error codes as returned from BoringSSL/OpenSSL.
-export enum X509_ERR_CODE {
-	UNABLE_TO_VERIFY_LEAF_SIGNATURE = "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
-	DEPTH_ZERO_SELF_SIGNED_CERT = "DEPTH_ZERO_SELF_SIGNED_CERT",
-	SELF_SIGNED_CERT_IN_CHAIN = "SELF_SIGNED_CERT_IN_CHAIN",
-}
-
-// X509_ERR contains human-friendly versions of TLS errors.
-export enum X509_ERR {
-	PARTIAL_CHAIN = "Your Coder deployment's certificate cannot be verified because a certificate is missing from its chain. To fix this your deployment's administrator must bundle the missing certificates.",
-	// NON_SIGNING can be removed if BoringSSL is patched and the patch makes it
-	// into the version of Electron used by VS Code.
-	NON_SIGNING = "Your Coder deployment's certificate is not marked as being capable of signing. VS Code uses a version of Electron that does not support certificates like this even if they are self-issued. The certificate must be regenerated with the certificate signing capability.",
-	UNTRUSTED_LEAF = "Your Coder deployment's certificate does not appear to be trusted by this system. The certificate must be added to this system's trust store.",
-	UNTRUSTED_CHAIN = "Your Coder deployment's certificate chain does not appear to be trusted by this system. The root of the certificate chain must be added to this system's trust store. ",
-}
-
-export class CertificateError extends Error {
-	public static readonly ActionAllowInsecure = "Allow Insecure";
-	public static readonly ActionOK = "OK";
-	public static readonly InsecureMessage =
-		'The Coder extension will no longer verify TLS on HTTPS requests. You can change this at any time with the "coder.insecure" property in your VS Code settings.';
-
-	private constructor(
-		message: string,
-		public readonly x509Err?: X509_ERR,
-	) {
-		super("Secure connection to your Coder deployment failed: " + message);
-	}
-
-	// maybeWrap returns a CertificateError if the code is a certificate error
-	// otherwise it returns the original error.
-	static async maybeWrap<T>(
-		err: T,
-		address: string,
-		logger: Logger,
-	): Promise<CertificateError | T> {
-		if (isAxiosError(err)) {
-			switch (err.code) {
-				case X509_ERR_CODE.UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-					// "Unable to verify" can mean different things so we will attempt to
-					// parse the certificate and determine which it is.
-					try {
-						const cause =
-							await CertificateError.determineVerifyErrorCause(address);
-						return new CertificateError(err.message, cause);
-					} catch (error) {
-						logger.warn(`Failed to parse certificate from ${address}`, error);
-						break;
-					}
-				case X509_ERR_CODE.DEPTH_ZERO_SELF_SIGNED_CERT:
-					return new CertificateError(err.message, X509_ERR.UNTRUSTED_LEAF);
-				case X509_ERR_CODE.SELF_SIGNED_CERT_IN_CHAIN:
-					return new CertificateError(err.message, X509_ERR.UNTRUSTED_CHAIN);
-				case undefined:
-					break;
-			}
-		}
-		return err;
-	}
-
-	// determineVerifyErrorCause fetches the certificate(s) from the specified
-	// address, parses the leaf, and returns the reason the certificate is giving
-	// an "unable to verify" error or throws if unable to figure it out.
-	private static async determineVerifyErrorCause(
-		address: string,
-	): Promise<X509_ERR> {
-		return new Promise((resolve, reject) => {
-			try {
-				const url = new URL(address);
-				const socket = tls.connect(
-					{
-						port: Number.parseInt(url.port, 10) || 443,
-						host: url.hostname,
-						rejectUnauthorized: false,
-					},
-					() => {
-						const x509 = socket.getPeerX509Certificate();
-						socket.destroy();
-						if (!x509) {
-							throw new Error("no peer certificate");
-						}
-
-						// We use "@peculiar/x509" because Node's x509 returns an undefined `keyUsage`.
-						const cert = new X509Certificate(x509.toString());
-						const isSelfIssued = cert.subject === cert.issuer;
-						if (!isSelfIssued) {
-							return resolve(X509_ERR.PARTIAL_CHAIN);
-						}
-
-						// The key usage needs to exist but not have cert signing to fail.
-						const extension = cert.getExtension(KeyUsagesExtension);
-						if (extension) {
-							const hasKeyCertSign =
-								extension.usages & KeyUsageFlags.keyCertSign;
-							if (!hasKeyCertSign) {
-								return resolve(X509_ERR.NON_SIGNING);
-							}
-						}
-						// This branch is currently untested; it does not appear possible to
-						// get the error "unable to verify" with a self-signed certificate
-						// unless the key usage was the issue since it would have errored
-						// with "self-signed certificate" instead.
-						return resolve(X509_ERR.UNTRUSTED_LEAF);
-					},
-				);
-				socket.on("error", (err) => reject(toError(err)));
-			} catch (err) {
-				reject(toError(err));
-			}
-		});
-	}
-
-	// allowInsecure updates the value of the "coder.insecure" property.
-	private allowInsecure(): void {
-		vscode.workspace
-			.getConfiguration()
-			.update("coder.insecure", true, vscode.ConfigurationTarget.Global);
-		vscode.window.showInformationMessage(CertificateError.InsecureMessage);
-	}
-
-	async showModal(title: string): Promise<void> {
-		return this.showNotification(title, {
-			detail: this.x509Err || this.message,
-			modal: true,
-			useCustom: true,
-		});
-	}
-
-	async showNotification(
+/**
+ * Base class for certificate-related errors that can display notifications to users.
+ * Use `instanceof CertificateError` to check if an error is a certificate error.
+ */
+export abstract class CertificateError extends Error {
+	/** Human-friendly detail message for display */
+	public abstract readonly detail: string;
+
+	/** Show error notification. Pass { modal: true } for modal dialogs. */
+	public abstract showNotification(
 		title?: string,
-		options: vscode.MessageOptions = {},
-	): Promise<void> {
-		const val = await vscode.window.showErrorMessage(
-			title || this.x509Err || this.message,
-			options,
-			// TODO: The insecure setting does not seem to work, even though it
-			// should, as proven by the tests.  Even hardcoding rejectUnauthorized to
-			// false does not work; something seems to just be different when ran
-			// inside VS Code.  Disabling the "Strict SSL" setting does not help
-			// either.  For now avoid showing the button until this is sorted.
-			// CertificateError.ActionAllowInsecure,
-			CertificateError.ActionOK,
-		);
-		switch (val) {
-			case CertificateError.ActionOK:
-			case undefined:
-				return;
-		}
-	}
+		options?: { modal?: boolean },
+	): Promise<void>;
 }