-
Bug
-
Resolution: Done
-
Major
-
3.3.0.GA
-
False
-
None
-
False
-
I am resolving this issue with Fix Version 3.7 as NODE_EXTRA_CA_CERTS is automatically set now.
-
-
Description of problem:
When a customer is trying to install plugins from the internal plugin registry an error message appears indicating that a connection to a Microsoft CDN is tried to be established instead.
The internal registry is configured (screenshot attached). Looking at the logs of vs code (by clicking on the link in the right-bottom popup) the following error message appears (screenshot attached):
2022-12-20 14:29:54.841 [error] unable to verify the first certificate: Error: unable to verify the first certificate at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34) at TLSSocket.emit (node:events:520:28) at TLSSocket._finishInit (node:_tls_wrap:944:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) 2022-12-20 14:29:55.551 [error] Error while registering log channel vscode-log:/20221220T142944/remoteTunnel.log Timed out while waiting for file to be created 2022-12-20 14:29:55.821 [error] Error while registering log channel file:///20221220T142944/ptyhost.log Timed out while waiting for file to be created
The customer has their own root certificate. They tried to import certificates by following the procedure in doc [1] and also by importing ca-bundle.crt within a workspace using doc [2]. Both did not change the behavior.
Using doc [2] they are at least able to curl the URL of the plugin registry without tls errors (screenshot attached). So it seems that VS Code ignores certificates.
Following is the analysis from the customer:
VS Code is written in NodeJS and Node does not use system-side certificates but brings its own certificate bundle, backed into the distribution. See here: https://github.com/nodejs/node/blob/main/src/node_root_certs.h A custom certificate file can be added through the environment variable NODE_EXTRA_CA_CERTS. Following the documentation in [1] custom certificates are mounted into the workspace container at /public-certs. However, NODE_EXTRA_CA_CERTS never is being set. So in contrast to the previous editor, Theia, VS Code ignores the custom certificates.
[1] https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.3/html/administration_guide/configuring-devspaces#importing-untrusted-tls-certificates
[2] https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.3/html/user_guide/using-credentials-and-configurations-in-workspaces#mounting-configmaps