Che offline using an untrusted TLS cert doesn't load zip samples from internal devfile registry

[NM4]

Describe the bug

I installed Eclipse Che on offline mode with intenal devfile and plugin registries.
When I create a workspace with a stack that bundle a sample project from devfile registry I get ssl issue at downloading the sample zip into the workspace. It seems like the provided ca cert is not propagated to the tool that download the zip ( wget )

Che version

• latest
• nightly
• other: please specify
  7.9.2

Steps to reproduce

Expected behavior

Runtime

• kubernetes (include output of kubectl version)
• Openshift (include output of oc version)
• minikube (include output of minikube version and kubectl version)
• minishift (include output of minishift version and oc version)
• docker-desktop + K8S (include output of docker version and kubectl version)
• other: (please specify)

Screenshots

Installation method

• chectl
• che-operator
• minishift-addon
• I don't know

Environment

• my computer
  • Windows
  • Linux
  • macOS
• Cloud
  • Amazon
  • Azure
  • GCE
  • [] other (please specify)
• other: on prem K8S

Eclipse Che Logs

Couldn't import https://devfile-registry-che.full-FQN/resources/java-maven-console-java-simple-java1.11.zip:
Connecting to devfile-registry-che.full-FQN (10.z.x.y:443)
ssl_client: devfile-registry-che.full-FQN:
certificate verification failed: unable to get local issuer certificate wget: error getting response: Connection reset by peer

Additional context

[sleshchenko]

@NM4 Could you clarify where do you get this error? Theia log, plugin broker. Che Server?
P.S. Added area/che-theia, since I guess the provided log in from Theia and it must use /tmp/che/secret/ca.crt as trusted cert to avoid such error.

[NM4]

I get this as a notification when my workspace starts.

[NM4]

Yes, just verified : in a terminal in theia plugin container I have a correct ca.crt.

[NM4]

bash-4.4$ curl --cacert /tmp/che/secret/ca.crt -o /projects/test.zip  https://devfile-registry-che.full-FQN/resources/java-maven-console-java-simple-java1.11.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5999  100  5999    0     0  98344      0 --:--:-- --:--:-- --:--:-- 98344
bash-4.4$ ls /projects
test.zip

!!!

[NM4]

Hello,

@sleshchenko, Any update about this issue ?

[sleshchenko]

@NM4 Hello, I just asked to clarify the issue but it's out of my areas and I'm not familiar with that codebase.
@vinokurig @azatsarynnyy Have you seen this issue? It should not be difficult to implement, if so - could we provide quick fix?)

[azatsarynnyy]

certs aren't respected when importing a zip, see https://github.com/eclipse/che-theia/blob/a321800c8359efc062b3820610087a7ac40cafbc/plugins/workspace-plugin/src/theia-commands.ts#L203

labeling it as area/plugins as related to Che Theia Workspace Plugin

[vitaliy-guliy]

I get the same error when trying to add a custom plugin registry, which is on GitHub

2020-07-30 13:01:29.028 root INFO Cannot access the registry Params: Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:936:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12)
2020-07-30 13:01:29.148 root INFO Unable to read plugin registry Params: https://raw.githubusercontent.com/vitaliy-guliy/che-theia-plugin-registry/master/plugins/plugins.json