Add certificate refresh command support for expired client certificates #714
Description
Summary
When client TLS certificates (e.g., metatron credentials) expire, the extension shows a cryptic error message:
Failed to check user authentication: 18468360202752:error:10000415:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_EXPIRED:../../third_party/boringssl/src/ssl/tls_record.cc:486:SSL alert number 45
The extension should detect this condition and either:
- Show a user-friendly error message explaining that credentials need to be refreshed
- Automatically run a configurable refresh command (like the JetBrains Toolbox plugin does)
Current Behavior
The SSLV3_ALERT_CERTIFICATE_EXPIRED SSL error propagates as a raw error message. The existing CertificateError class in src/error.ts only handles server certificate errors (self-signed, untrusted chain, etc.), not client certificate expiration.
Proposed Solution
Implement a certificate refresh mechanism similar to the JetBrains Toolbox plugin's CertificateRefreshInterceptor:
-
New setting:
coder.tlsCertRefreshCommand- A command to run when certificates expire (e.g.,metatron refresh) -
Detection: Catch SSL errors containing
certificate_expiredorSSLV3_ALERT_CERTIFICATE_EXPIRED -
Refresh flow:
- Execute the configured refresh command
- Reload the TLS context to pick up new certificates
- Retry the failed request
-
Fallback: If no refresh command is configured, show a user-friendly error message suggesting the user refresh their credentials manually
Implementation Notes
- The error surfaces at extension activation in
src/extension.ts(~line 296) in the.catch()handler fordeploymentManager.setDeploymentIfValid() - The
CertificateError.maybeWrap()method insrc/error.tscould be extended to detect this error type - TLS certificates are configured via
coder.tlsCertFileandcoder.tlsKeyFilesettings - The axios HTTP client would need an interceptor or error handler to detect and handle these errors