Skip to content

Add automatic TLS client certificate refresh support #732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
EhabY wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add automatic TLS client certificate refresh support #732

EhabY wants to merge 4 commits into from
+1,035 −259

Conversation

@EhabY
Copy link
Collaborator

@EhabY EhabY commented Jan 16, 2026
edited
Loading

Summary

  • Add automatic refresh and retry for failed TLS client certificate connections
  • Detect and classify SSL/TLS client certificate errors (expired, revoked, bad certificate, etc.)
  • New coder.tlsCertRefreshCommand setting to configure a refresh command (e.g., metatron refresh)
  • Consistently handle websocket errors across HTTP and WebSocket connections

Changes

Certificate Error Handling

  • Split CertificateError into ServerCertificateError (server cert issues) and ClientCertificateError (client cert
    issues)
  • Detect 7 SSL/TLS client certificate alert codes: expired, revoked, bad certificate, unknown, unsupported, unknown CA,
    and access denied. Also classify errors as "refreshable" (expired, revoked, bad, unknown) vs "non-refreshable" (unsupported, unknown CA, access denied)

Automatic Refresh & Retry

  • Automatically execute configured refresh command when refreshable certificate errors occur
  • Retry failed HTTP requests and WebSocket connections after refresh
  • Show user-friendly notifications with appropriate guidance based on error type

Code Quality

  • Add execCommand utility for shared command execution with proper logging
  • Improve websocket error handling consistency between HTTP and WebSocket paths

Fixed #714

@EhabY EhabY self-assigned this Jan 19, 2026
@EhabY EhabY force-pushed the automatic-mtls-refresh branch 3 times, most recently from e6ef17f to 871a6e4 Compare January 19, 2026 16:47
@EhabY EhabY changed the title Add automatic TLS client certificate refresh Add automatic TLS client certificate refresh support Jan 20, 2026
@EhabY EhabY force-pushed the automatic-mtls-refresh branch from 871a6e4 to bc732ea Compare January 20, 2026 09:43
johnstcn
johnstcn reviewed Jan 20, 2026
View reviewed changes
@EhabY EhabY force-pushed the automatic-mtls-refresh branch from 0f9c982 to 46800c3 Compare January 20, 2026 14:48
johnstcn
johnstcn reviewed Jan 21, 2026
View reviewed changes
@jakehwll jakehwll self-requested a review January 21, 2026 11:05
jakehwll
jakehwll reviewed Jan 21, 2026
View reviewed changes
jakehwll
jakehwll reviewed Jan 21, 2026
View reviewed changes
EhabY added 3 commits January 21, 2026 14:53
@EhabY
Added support for automatically refreshing TLS client certificates wh…
c312301 
…en they fail

- New coder.tlsCertRefreshCommand setting to configure a refresh command (e.g., metatron refresh)
- Detects 7 SSL/TLS client certificate alert codes: expired, revoked, bad certificate, unknown, unsupported, unknown CA, and access denied
- Classifies errors as "refreshable" (expired, revoked, bad, unknown) vs "non-refreshable" (unsupported, unknown CA, access denied)
- Automatically executes refresh command and retries failed HTTP requests and WebSocket connections
- Shows user-friendly notifications with appropriate guidance based on error type
- Split CertificateError into ServerCertificateError (server cert issues) and ClientCertificateError (client cert issues)
- Added execCommand utility for shared command execution with proper logging
@EhabY
Consistently handle websocket errors
d97a66f
@EhabY
Add changelog entry
f08f519
@EhabY EhabY force-pushed the automatic-mtls-refresh branch from 46800c3 to 6b5c704 Compare January 21, 2026 11:53
@EhabY EhabY force-pushed the automatic-mtls-refresh branch from 6b5c704 to 92ab411 Compare January 21, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnstcn johnstcn johnstcn approved these changes

@jakehwll jakehwll jakehwll approved these changes

Assignees

@EhabY EhabY

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add certificate refresh command support for expired client certificates

3 participants

@EhabY @johnstcn @jakehwll