{
  "$type": "site.standard.document",
  "canonicalUrl": "https://johnnyreilly.com/posts/devcontainers-and-ssl-interception",
  "description": "Developers may need to overcome MITM certificate issues to use devcontainers, which can optimize productivity for new starters when developing software.",
  "path": "/posts/devcontainers-and-ssl-interception",
  "publishedAt": "2020-07-11T00:00:00.000Z",
  "site": "at://did:plc:yy3apqjlms24kso7ahn7lbmb/site.standard.publication/3mova7c4nho2b",
  "textContent": "Devcontainers are cool. They are the infrastructure as code equivalent for developing software.\n\n\n\nImagine your new starter joins the team, you'd like them to be contributing code on _day 1_. But if the first thing that happens is you hand them a sheaf of paper upon which are the instructions for how to get their machines set up for development, well, maybe it's going to be a while. But if your project has a devcontainer then you're off to the races. One trusty git clone, fire up VS Code and they can get going.\n\nThat's the dream right?\n\nI've recently been doing some work getting a project I work on set up with a devcontainer. As I've worked on that I've become aware of some of the hurdles that might hamper your adoption of devcontainers in a corporate environment.\n\nCertificates: I'm starting with the man in the middle\n\nIt is a common practice in company networks to perform SSL interception. Not SSL inception; that'd be more fun.\n\n <iframe src=\"https://giphy.com/embed/l7JDTHpsXM26k\" width=\"100%\" height=\"100%\" frameBorder=\"0\" allowFullScreen=\"\"></iframe>\n\nSSL interception is the practice of installing a \"man-in-the-middle\" (MITM) CA certificate on users machines. When SSL traffic takes place from a users machine, it goes through a proxy. That proxy performs the SSL on behalf of that user and, if it's happy, supplies another certificate back to the users machine which satisfies the MITM CA certificate. So rather than seeing, for example, Google's certificate from https://google.com you'd see the one resulting from the SSL interception. You can read more here.\n\nNow this is a little known and less understood practice. I barely understand it myself. Certificates are _hard_. Even having read the above you may be none the wiser about why this is relevant. Let's get to the broken stuff.\n\n\"Devcontainers don't work at work!\"\n\nSo, you're ready to get going with your first devcontainer. You fire up the vscode-dev-containers repo and find the container that's going to work for you. Copy pasta the .devcontainer into your repo, install the Remote Development extension into VS Code and enter the Remote-Containers: Reopen Folder in Container. Here comes the future!\n\nBut when it comes to performing SSL inside the devcontainer, trouble awaits. Here's what a yarn install results in:\n\nOh no!\n\nGosh but it's okay - you're just bumping on the SSL interception. Why though? Well it's like this: when you fire up your devcontainer it builds a new Docker container. It's as well to imagine the container as a virtual operating system. So what's the difference between this operating system and the one our machine is running? Well a number of things, but crucially our host operating system has the MITM CA certificate installed. So when we SSL, we have the certificate that will match up with what the proxy sends back to us certificate-wise. And inside our trusty devcontainer we don't have that. Hence the sadness.\n\nDevcontainer + MITM cert = working\n\nWe need to do two things to get this working:\n\n1. Acquire the requisite CA certificate(s) from your friendly neighbourhood networking team. Place them in a certs folder inside your repo, in the .devcontainer folder.\n2. Add the following lines to your .devcontainer/Dockerfile, just after the initial FROM statement:\n\nWhich does the following:\n\n- Copies the certs into the devcontainer\n- This is a Node example and so we set an environment variable called NODE_EXTRA_CA_CERTS which points to the path of your MITM CA certificate file inside your devcontainer.\n- updates the directory /etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt\n\nWith these in place then you should be able to build your devcontainer with no SSL trauma. Enjoy!",
  "title": "Devcontainers and SSL interception"
}