Title: 1.18.0-rolling-weekly overwrites external SSL certificates on startup
Body:
Description
Starting with the February 11, 2026 update of kasmweb/desktop-deluxe:1.18.0-rolling-weekly, KasmVNC now overwrites externally provided SSL certificates in /home/kasm-user/.vnc/self.pem during container startup, breaking existing certificate management workflows.
Affected Versions
Broken: 1.18.0-rolling-weekly (updated 2026-02-11 and later)
Working: 1.17.0-rolling-weekly and earlier versions
Expected Behavior
When a custom SSL certificate is provided in /home/kasm-user/.vnc/self.pem (either via COPY in Dockerfile or docker cp after startup), KasmVNC should use the provided certificate instead of generating a new one.
Actual Behavior
KasmVNC generates a new self-signed certificate on every startup, overwriting any externally provided certificate. The startup process requires write permissions to self.pem, causing failures when mounted as read-only.
Error when mounted read-only:
req: Can't open "/home/kasm-user/.vnc/self.pem" for writing, Read-only file system
Steps to Reproduce
Build container with custom certificate:
dockerfileFROM kasmweb/desktop-deluxe:1.18.0-rolling-weekly
ENV VNC_PW=password
USER root
RUN apt-get update && apt-get upgrade -y
EXPOSE 6901
USER kasm-user
Run container and copy custom certificate:
bashdocker run -d --name test -p 6901:6901 container
docker cp custom-cert.pem test:/home/kasm-user/.vnc/self.pem
docker restart test
Verify certificate is overwritten:
bashdocker exec test cat /home/kasm-user/.vnc/self.pem
Shows auto-generated certificate, not custom one
## Observed Differences
**Custom certificate format:**
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- # Certificate chain
-----END CERTIFICATE-----
**Auto-generated certificate format:**
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Workaround
Revert to 1.17.0-rolling-weekly or use a pinned non-rolling version.
Impact
This breaks certificate management for production deployments where:
Valid SSL certificates (Let's Encrypt, commercial CAs) are required
Certificate rotation workflows are automated
Compliance requires specific certificate chains
Request
Please either:
Preserve externally provided certificates in /home/kasm-user/.vnc/self.pem
Add a configuration option to disable auto-generation
Document the breaking change in release notes
Thank you for considering this issue.
Title: 1.18.0-rolling-weekly overwrites external SSL certificates on startup
Body:
Description
Starting with the February 11, 2026 update of kasmweb/desktop-deluxe:1.18.0-rolling-weekly, KasmVNC now overwrites externally provided SSL certificates in /home/kasm-user/.vnc/self.pem during container startup, breaking existing certificate management workflows.
Affected Versions
Broken: 1.18.0-rolling-weekly (updated 2026-02-11 and later)
Working: 1.17.0-rolling-weekly and earlier versions
Expected Behavior
When a custom SSL certificate is provided in /home/kasm-user/.vnc/self.pem (either via COPY in Dockerfile or docker cp after startup), KasmVNC should use the provided certificate instead of generating a new one.
Actual Behavior
KasmVNC generates a new self-signed certificate on every startup, overwriting any externally provided certificate. The startup process requires write permissions to self.pem, causing failures when mounted as read-only.
Error when mounted read-only:
req: Can't open "/home/kasm-user/.vnc/self.pem" for writing, Read-only file system
Steps to Reproduce
Build container with custom certificate:
dockerfileFROM kasmweb/desktop-deluxe:1.18.0-rolling-weekly
ENV VNC_PW=password
USER root
RUN apt-get update && apt-get upgrade -y
EXPOSE 6901
USER kasm-user
Run container and copy custom certificate:
bashdocker run -d --name test -p 6901:6901 container
docker cp custom-cert.pem test:/home/kasm-user/.vnc/self.pem
docker restart test
Verify certificate is overwritten:
bashdocker exec test cat /home/kasm-user/.vnc/self.pem
Shows auto-generated certificate, not custom one
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- # Certificate chain
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Workaround
Revert to 1.17.0-rolling-weekly or use a pinned non-rolling version.
Impact
This breaks certificate management for production deployments where:
Valid SSL certificates (Let's Encrypt, commercial CAs) are required
Certificate rotation workflows are automated
Compliance requires specific certificate chains
Request
Please either:
Preserve externally provided certificates in /home/kasm-user/.vnc/self.pem
Add a configuration option to disable auto-generation
Document the breaking change in release notes
Thank you for considering this issue.