Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 3.7.0.GA
Affects Version/s: 3.3.0.GA
Component/s: editors: vscode, idea, theia, Team B: DevWorkspace + Operator, Web Terminal + Operator, editors/IDEs + built-in vscode extensions, Universal Developer Image, machine-exec, dev environment config
Labels:

Blocked:
False
Blocked Reason:
None
Ready:
False
Release Note Text:
I am resolving this issue with Fix Version 3.7 as NODE_EXTRA_CA_CERTS is automatically set now.
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

When a customer is trying to install plugins from the internal plugin registry an error message appears indicating that a connection to a Microsoft CDN is tried to be established instead.

The internal registry is configured (screenshot attached). Looking at the logs of vs code (by clicking on the link in the right-bottom popup) the following error message appears (screenshot attached):

2022-12-20 14:29:54.841 [error] unable to verify the first certificate: Error: unable to verify the first certificate at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34) at TLSSocket.emit (node:events:520:28) at TLSSocket._finishInit (node:_tls_wrap:944:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) 2022-12-20 14:29:55.551 [error] Error while registering log channel vscode-log:/20221220T142944/remoteTunnel.log Timed out while waiting for file to be created 2022-12-20 14:29:55.821 [error] Error while registering log channel file:///20221220T142944/ptyhost.log Timed out while waiting for file to be created

The customer has their own root certificate. They tried to import certificates by following the procedure in doc [1] and also by importing ca-bundle.crt within a workspace using doc [2]. Both did not change the behavior.

Using doc [2] they are at least able to curl the URL of the plugin registry without tls errors (screenshot attached). So it seems that VS Code ignores certificates.

Following is the analysis from the customer:

VS Code is written in NodeJS and Node does not use system-side certificates but brings its own certificate bundle, backed into the distribution. See here: https://github.com/nodejs/node/blob/main/src/node_root_certs.h
A custom certificate file can be added through the environment variable NODE_EXTRA_CA_CERTS.
Following the documentation in [1]  custom certificates are mounted into the workspace container at /public-certs. However, NODE_EXTRA_CA_CERTS never is being set. So in contrast to the previous editor, Theia, VS Code ignores the custom certificates.

[1] https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.3/html/administration_guide/configuring-devspaces#importing-untrusted-tls-certificates
[2] https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.3/html/user_guide/using-credentials-and-configurations-in-workspaces#mounting-configmaps

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Connection-to-MS-CDN_v2.JPG
581 kB
2022/12/23 8:54 AM
Error-Messages-in-Log_v2.JPG
323 kB
2022/12/23 8:54 AM
Successful-Curl-After-Custom-Certs-Injected_v2.JPG
222 kB
2022/12/23 8:54 AM

Assignee:: Artem Zatsarynnyi

Reporter:: Satyam Burhade

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2022/12/21 3:55 PM

Updated:: 2023/08/01 9:03 AM

Resolved:: 2023/08/01 9:03 AM

Details

Description

Description of problem:

Attachments

Attachments

Activity

People

Dates