Respect the OS certificate store

[qc00]

Describe the bug
The "GitHub Actions language server" doesn't use Root certificates installed on Windows, so incompatible with an SSL-inspecting firewall.

Most other extensions in VSCode work just fine and are able to access HTTPS endpoints correctly. I presume they use a different API.

To Reproduce

1. Be in an enterprise environment with an SSL-inspecting/MITM firewall that uses certificates issued by an internal CA.
2. Open any workflow yml file
3. In the ouptuts:

Failure to retrieve username:  Os [HttpError]: request to https://api.github.com/user failed, reason: self signed certificate in certificate chain
    at c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2783247
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2855206
    at async fa.get (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2865045)
    at async c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2855141
    at async aa (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2855108)
    at async c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2858843
    at async Object.getContext (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2858799)
    at async ni (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2732594)
    at async ln (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2757296) {
  status: 500,
  request: {
    method: 'GET',
    url: 'https://api.github.com/user',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'VS Code GitHub Actions (0.25.2) octokit-rest.js/19.0.7 octokit-core.js/4.1.0 Node.js/16.14.2 (win32; x64)',
      authorization: 'token [REDACTED]'
    },
    request: { hook: [Function: bound bound e] }
  }
}

Expected behavior
Certificates trusted by Windows are accepted.

Extension Version
v0.25.2

Additional context
I wonder if it's HSTS?

[CharlesNadolski]

I'm having the same exact issue on my corporate device. We are behind the ZScaler proxy. Using the win-ca extension did not work as a workaround.

[beeequeue]

Can confirm this issue is also present on Mac.

To be more specific, it's only the language server that is not using it on Mac, the sidebar is working and showing workflow runs.

[CharlesNadolski]

Can confirm this issue is also present on Mac.

To be more specific, it's only the language server that is not using it on Mac, the sidebar is working and showing workflow runs.

Same behavior on Windows. At least it's consistent.

[william-grant-cko]

Same here, Windows VSCode, the GitHub Copilot extension logs in fine after installing the win-ca, but this extension did not!

[ohcnkk]

Having the same issue on M1 MacOS Ventura.
Version: v0.25.5

Failure to retrieve username:  Ms [HttpError]: request to https://api.github.com/user failed, reason: self signed certificate in certificate chain
    at /Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2785150
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async /Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2857109
    at async wa.get (/Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2867017)
    at async /Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2857044
    at async la (/Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2857011)
    at async /Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2860815
    at async Object.getContext (/Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2860771)
    at async oi (/Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2734023)
    at async gn (/Users/***/.vscode/extensions/github.vscode-github-actions-0.25.5/dist/server-node.js:2:2759318) {
  status: 500,
  request: {
    method: 'GET',
    url: 'https://api.github.com/user',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'VS Code GitHub Actions (0.25.5) octokit-rest.js/19.0.7 octokit-core.js/4.1.0 Node.js/16.14.2 (darwin; arm64)',
      authorization: 'token [REDACTED]'
    },
    request: { hook: [Function: bound bound e] }
  }
}
[Error - 13:40:08] Failed to fetch action metadata for actions/checkout/v3: 'request to https://api.github.com/repos/actions/checkout/contents/action.yml?ref=v3 failed, reason: self signed certificate in certificate chain'
[Error - 13:40:08] Unhandled error while validating: request to https://api.github.com/user failed, reason: self signed certificate in certificate chain

[Fachep]

I'm using a locally hosted reverse proxy to get past a hostname ban, not system proxy(which works fine) but the hosts file redirecting to localhost:443. Seems I'm having the same problem but with differient logs:

Failure to retrieve username:  Ms [HttpError]: request to https://api.github.com/user failed, reason: unable to verify the first certificate
    at c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2785192
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2857151
    at async va.get (c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2867091)
    at async c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2857086
    at async la (c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2857053)
    at async c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2860857
    at async Object.getContext (c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2860813)
    at async oi (c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2734065)
    at async gn (c:\Users\mail\.vscode\extensions\github.vscode-github-actions-0.25.6\dist\server-node.js:2:2759360) {
  status: 500,
  request: {
    method: 'GET',
    url: 'https://api.github.com/user',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'VS Code GitHub Actions (0.25.6) octokit-rest.js/19.0.7 octokit-core.js/4.1.0 Node.js/16.14.2 (win32; x64)',
      authorization: 'token [REDACTED]'
    },
    request: { hook: [Function: bound bound e] }
  }
}
[Error - 07:47:04] Failed to fetch action metadata for actions/checkout/v3: 'request to https://api.github.com/repos/actions/checkout/contents/action.yml?ref=v3 failed, reason: unable to verify the first certificate'
[Error - 07:47:04] Failed to fetch action metadata for actions/cache/v3: 'request to https://api.github.com/repos/actions/cache/contents/action.yml?ref=v3 failed, reason: unable to verify the first certificate'

[jtamsut]

Hey 👋. Can you confirm that the certificate you are using is in your Certificate Trust Chain? Here are the docs for troubleshooting this issue with Copilot. It might be the case that adding your self-signed certificate to the OS trust chain solves this problem for you.

[qc00]

Most other extensions in VSCode work just fine and are able to access HTTPS endpoints correctly.

the sidebar is working and showing workflow runs.

TL;DR Most extensions, including the sidebar of the Actions extension, are able to accept the certificate presented by the SSL-inspecting firewall, but the language server of the Actions extension does not.

[jtamsut]

Took some time to investigate this issue. Was able to reproduce this locally by setting up Charles to act as a MITM SSL proxy for all GitHub API requests (requests made to https://api.github.com).

The root cause of this is that we aren't reading in and passing root certificates to Node.js when making requests from within the extension. The Octokit REST API client (which we are using to make requests to the GitHub API) allows you to pass in an "agent" into requests. This looks something like this:

const octokit = new Octokit({
   request: {
      agent: NodeHTTPSAgent
   }
}

We should creating a Node HTTPs agent and pass that into Octokit as the agent:

import {Agent} from "node:https";

const httpsAgent = new Agent({
   ca: selfSignedCerts
});

There are a few complications here as one of our goals is to make the language server work in the browser so we will need to polyfill any Node.js APIs. Other VSCode extensions have used win-ca and mac-ca to read in certificates from the OS's certificate store. For interacting with an OS's certificate store we will need OS-specific implementations as the APIs are different on Windows, Linux (Ubuntu) and MacOS.

We are going to put this issue down for now but keep it open for future investigation/implementation.

[qc00]

That's a shame. VSCode should really provide a common solution for other Node.js codebases.

One thought is the side-bar part of this extension works, so whatever way it uses to make web requests is compatible. I presume that's because that part runs in VSCode instead of starting its own process? In which case, is it possible to run some code in VSCode as a proxy to handle web requests for the language server process?

[channyein87]

I have a workaround step to work.

1. Open the terminal and set environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0.
2. Then open the VSCode using the code command. https://code.visualstudio.com/docs/setup/mac#_launching-from-the-command-line

$ export NODE_TLS_REJECT_UNAUTHORIZED="0"
$ code git-repo-directry

I can now see some warning but the certificate error is gone in the extension log.

[konstantindt]

In https://github.com/octokit/request.js/releases/tag/v7.0.0 node-fetch is removed. When this Octokit REST API client change trickles down here perhaps the implementation can start supporting the NODE_EXTRA_CA_CERTS environment variable - node-fetch doesn't.

[jamesholland-uk]

This issue means I will have to disable the extension for now; this popup flashing up multiple times in the bottom-right corner as the mouse moves around a GHA workflow file is just too annoying sadly

[classicrocker883]

this issue still remains in 2024

[Ppeepost4489]

Describe the bug
The "GitHub Actions language server" doesn't use Root certificates installed on Windows, so incompatible with an SSL-inspecting firewall.

Most other extensions in VSCode work just fine and are able to access HTTPS endpoints correctly. I presume they use a different API.

To Reproduce

1. Be in an enterprise environment with an SSL-inspecting/MITM firewall that uses certificates issued by an internal CA.
2. Open any workflow yml file
3. In the ouptuts:

Failure to retrieve username:  Os [HttpError]: request to https://api.github.com/user failed, reason: self signed certificate in certificate chain
    at c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2783247
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2855206
    at async fa.get (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2865045)
    at async c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2855141
    at async aa (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2855108)
    at async c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2858843
    at async Object.getContext (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2858799)
    at async ni (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2732594)
    at async ln (c:\Users\***\.vscode\extensions\github.vscode-github-actions-0.25.2\dist\server-node.js:2:2757296) {
  status: 500,
  request: {
    method: 'GET',
    url: 'https://api.github.com/user',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'VS Code GitHub Actions (0.25.2) octokit-rest.js/19.0.7 octokit-core.js/4.1.0 Node.js/16.14.2 (win32; x64)',
      authorization: 'token [REDACTED]'
    },
    request: { hook: [Function: bound bound e] }
  }
}

Expected behavior
Certificates trusted by Windows are accepted.

Extension Version
v0.25.2

Additional context
I wonder if it's HSTS?