Error: self signed certificate in certificate chain

[chpurna]

Issue Type: Bug

When trying to "add account" getting error: 'Error: self signed certificate in certificate chain'. Issue is same with both Installer and zip file. Got admin permissions on the machine... and tried running the ".exe" as admin... no luck

Azure Data Studio version: azuredatastudio 1.3.8 (84009f6, 2019-01-08T23:59:38.228Z)
OS version: Windows_NT x64 10.0.17763

System Info

Item	Value
CPUs	Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz (4 x 2904)
GPU Status	2d_canvas: enabled checker_imaging: disabled_off flash_3d: enabled flash_stage3d: enabled flash_stage3d_baseline: enabled gpu_compositing: enabled multiple_raster_threads: enabled_on native_gpu_memory_buffers: disabled_software rasterization: enabled video_decode: enabled video_encode: enabled webgl: enabled webgl2: enabled
Memory (System)	31.88GB (21.35GB free)
Process Argv	C:\Purna\Tools\azuredatastudio-windows\azuredatastudio.exe
Screen Reader	no
VM	0%

Extensions: none

[kburtram]

@chpurna to clarify, the error is popping as a notification window in Azure Data Studio, or surfacing elsewhere?

[chpurna]

Error is popping up as a new window...

[chpurna]

Another screenshot from developer tools (Azure Data Studio -> Help -> Toggle Developer Tools..

[chpurna]

and %APPDATA%\azuredatastudio\Azure Accounts is empty.

Developer tools log:
17:06:24.657 C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:2280 �[91m[main 5:06:24 PM]�[0m Error while adding account: Error: self signed certificate in certificate chain
Zone.__load_patch.consoleMethods.forEach.console.(anonymous function) @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:2280
error @ workbench.main.js:342
(anonymous) @ workbench.main.js:103532
notifyError @ workbench.main.js:17735
enter @ workbench.main.js:17421
_run @ workbench.main.js:17594
_error @ workbench.main.js:17567
error @ workbench.main.js:17263
ZoneDelegate.invoke @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:388
Zone.run @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:138
(anonymous) @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:872
ZoneDelegate.invokeTask @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:421
Zone.runTask @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:188
drainMicroTaskQueue @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:595
ZoneTask.invokeTask @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:500
ZoneTask.ZoneTask.cancelFn.invoke @ C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:485
emitOne @ events.js:116
emit @ events.js:211
addChunk @ _stream_readable.js:263
readableAddChunk @ _stream_readable.js:250
Readable.push @ _stream_readable.js:208
onread @ net.js:594
17:06:24.667 C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:2280 ERR self signed certificate in certificate chain: Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1103:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:637:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:467:38)
17:06:24.668 C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:2280 WARNING: Promise with no error callback:72
17:06:24.668 C:\SOURCE\azuredatastudio-windows\resources\app\node_modules\zone.js\dist\zone-node.js:2280 {exception: null, error: Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1103:38)…, promise: Promise_ctor, handler: undefined, id: 72, …}

[kburtram]

@chpurna the issue here appears to be that there is something in the environment that is doing inspection of HTTPS traffic (firewall, antivirus software, etc.). This requires installing a self-signed certificate to decode the HTTPS traffic.

Unfortunately, Node.JS bundles its own CA list and doesn't use the Windows Certificate Authority store (see details at nodejs/node#4175). There is presumably a CA cert in the Windows Trust Store for whatever is decoding the traffic which is why non-Node.js applications are working properly. There are various workarounds, but no good ones that can be done without updating the application.

The following environment variable will turn off Node.JS certificate validation set NODE_TLS_REJECT_UNAUTHORIZED=0. Though this will disable the security mechanism that is being triggered here which prevents Man-in-the-Middle attacks. Alternatively if ADS can be configured to bypass whatever is decoding the HTTPS traffic that would also work.

[chpurna]

@kburtram , thank you for the update... if node.JS has its own CA list, why the same version of ADS working for someone and not for others, please?

[chpurna]

Also, there seems to be an npm package update as below to read CAs from windows store. Please check if this help to update Node.JS for ADS.

https://www.npmjs.com/package/system-ca-win32?activeTab=readme

[kburtram]

The bundled CA list is only an issue if you have a component decoding HTTPS traffic in your environment. You’d want to determine what is inspecting the HTTPS traffic in one environment and use the same component in the other environment to repro the issue there.

The npm module you referenced is a separate library that would need to be adopted by upstream components and ADS Azure components. This would require product changes to ADS and other external components.

[WorldMaker]

Note that setting NODE_EXTRA_CA_CERTS to the location of a file containing your local CA certificate is probably preferable to setting NODE_TLS_REJECT_UNAUTHORIZED=0.

[kburtram]

Closing as an upstream issue in Node.JS. Please us the workaround list above to work around this issue. Thanks for reporting!