self signed certificate in certificate chain

[bluemner]

When using a corporate github with self signed ssl cert, the plugin doesn't respect the strict ssl setting : "http.proxyStrictSSL": false setting. and throws

Error: self signed certificate in certificate chain

Please add the option for custom ssl certs

Thanks.

[jmarandet]

👍

Working with a Github Enterprise, this plugin would be really awesome, but it fails due to this certificate issue.

The Github site certificate was issued by a self-signed corporate PKI, and added to the OS.
Every web client on my computer works fine with it, the authority is registered.
For example I can see that Chrome shows a green lock, so the authority is correctly recognized.

I have tried the following :

• configure my workspace settings with "http.proxyStrictSSL" : false
• set the propper http.proxy: host:port
• launch the editor with the command "C:\Program Files\Microsoft VS Code\Code.exe" --ignore-certificate-error

Without any success so far.
Do you have any suggestion ?

[chrmarti]

The GitHub module can take rejectUnauthorized: false as a parameter. That might fix it.

[mungojam]

It would be even better if it could make use of the SSL library we have chosen when installing git.

We chose the windows SSL library which means git.exe connects fine without needing to lower security, but the extension still fails with self signed certificate in certificate chain.

[chrmarti]

There is a command line option to make Node use the OpenSSL CA store instead of the built-in Mozilla CAs. I'm not sure if the OpenSSL CA would pick up CAs from the system CA store on Windows, but since OpenSSL is not a standard install on Windows this probably won't work well. (CLI option: https://nodejs.org/api/cli.html#cli_use_bundled_ca_use_openssl_ca.)

There is also a Node module specifically for Windows: https://github.com/ukoloff/win-ca. That would affect all extensions when loaded.

[mungojam]

I hadn't realised it would be node driving the SSL library choice, not git.exe. That makes sense. I will see if the node module helps as I don't think OpenSSL would solve it.

It would be great if you can get this as a supported scenario. We're rolling out GitHub Enterprise widely in our company.

[mungojam]

@chrmarti I couldn't see a way to run arbitrary node code prior to launching vscode in order to enable the win-ca module. It looks like it may require an extension. If I had more time, I'd try creating my first extension!

[chrmarti]

@mungojam You could: Clone this repository, run npm install, npm install win-ca, add require('win-ca') in extension.ts and then launch the modified extension by pressing F5 in VS Code with the repository folder opened.

[ukoloff]

If someone is still interested, VS Code extension named win-ca is available. It is expected to make Windows' Trusted Root Certificates available to other VS Code extensions.

[mungojam]

@ukoloff thanks for giving it a go, I'm still getting 'self signed certificate in certificate chain' error from this particular extension after installing the new win-ca one. I wonder if it doesn't kick in early enough.

Unfortunately we don't have node on our work machines for me to help with debugging the extension directly, but let me know if you want me to check anything else as this would be very handy to have.

[ukoloff]

First, let's check, that win-ca is started at all. Look at the folder %USERPROFILE%\.vscode\extensions\ukoloff.win-ca-1.0.1\node_modules\win-ca\pem.

1. Does it exist?
2. Does it contains dozens of *.0 files?

Second, which soft complains about self signed certificate? Is is another VSCode extension? Or may be some Node.js package, called by VSCode extension?

[mungojam]

Look at the folder %USERPROFILE%.vscode\extensions\ukoloff.win-ca-1.0.1\node_modules\win-ca\pem

The win-ca folder exists, but there is no pem folder, just lib folder and then the LICENCE, package.json and README.md files.

Second, which soft complains about self signed certificate? Is is another VSCode extension? Or may be some Node.js package, called by VSCode extension?

The error doesn't seem to give any more details, I tried clicking on it. But it comes up as soon as I try to expand the 'GitHub Issues and PRs' section in the Explorer pane.

[ukoloff]

It looks like you were too fast and installed win-ca v1.0.0 that has stupid bug. It is hopefully fixed in v1.0.1. Try uninstall, reload, install again and reload.

And do you have GitHub extension installed?

[mungojam]

Still same behaviour after reinstalling as per your instructions. The pem folder is still missing. I think I did have v1.0.1 before anyway. I'm on Windows 7 by the way.

I didn't have GitHub extension installed, I just tried that but it seems to fail for another reason (says I haven't put a personal token in when I have).

[ukoloff]

Curiouser and curiouser.

What flavour of Windows 7 are you on? x86 or x64?

What is your VSCode version? And again - x86 or x64?

Second, next to missing pem folder you see lib folder. Ther should be roots.exe in it. If you simply run it, it should produce a lot of hexadecimal digits. Please, check.

[mungojam]

x64 Win 7 Pro.
x64 VS Code v1.22.2

Ther should be roots.exe in it. If you simply run it, it should produce a lot of hexadecimal digits. Please, check.

Yep, it prints out tons of hex before closing

[ukoloff]

Well, I have no ideas left. I tested several combinations of Windows and VSCode, pem folder appears everywhere.

I even built special version of extension for your VSCode: win-ca-1.0.2.vsix.zip.

1. Uninstall win-ca again
2. Unzip
3. From inside VSCode hit F1
4. Run Install from VSIX... command (start typing VSIX)
5. Point to unzipped .vsix file
6. Reload
7. Look again at %USERPROFILE%\.vscode\extensions\ukoloff.win-ca-1.0.2\node_modules\win-ca\pem

I think this will not help too, but...

[ukoloff]

Some googling gave an idea:

1. Ensure win-ca is installed and not working
2. Close VSCode and start again
3. Help / Toggle Developer Tools
4. Select Console on top

Are there any error messages conserning win-ca?

[mungojam]

Got it:

/C:/Program Files/Microsoft VS Code/resources/app/out/vs/workbench/workbench.main.js:2868 Activating extension 'ukoloff.win-ca' failed: Cannot read public key. OID is not RSA..

Same error and missing folder with 1.0.2

Stack trace

[ukoloff]

Great! It is highly likely you have non-RSA certificate in store and node-forge chokes on it.

Can you run something like lib\roots.exe > out and send me that out file?

[ukoloff]

New version without node-forge: win-ca-1.0.2.vsix.zip

1. Install as earlier (unzip + Install VSIX)
2. Look for %USERPROFILE\.vscode\extensions\ukoloff.win-ca-1.0.2\roots.pem
3. Try connecting

[mungojam]

Thanks, that .pem file exists now and the contents look good.

The GitHub PRs extension isn't showing up at the moment so I can't verify connectivity, it always seems to be intermittent which is a separate issue.

[mungojam]

@ukoloff it works perfectly! great stuff. I might make use of that pem file for something else too

[ukoloff]

I might make use of that pem file for something else too

In release version this PEM will certainly be relocated to some other folder.

Current version is just proof of concept.

[mungojam]

The new version of the win-ca extension just released by @ukoloff fixes this for any certificates trusted by windows.

It might be good to suggest to the user that they install this extension if they are on Windows. Or better yet add the win-ca node package or equivalent to VS Code install on windows.

[chrmarti]

Opened microsoft/vscode#52880 to track this. Thanks!