-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with self signed certificates when installing extensions #2987
Comments
Related to #986. |
Root issue is that You can work around this by telling the file not to require strictSSL and configuring an extra CA cert for node like this in your "remoteEnv": {
"NODE_EXTRA_CA_CERTS": ".devcontainer/corp_ca.crt"
},
"postCreateCommand": "sed -i -e 's/this\\.strictSSL=/this\\.strictSSL=false\\&\\&/g' $(find ~ -name *HostAgent.js)", If anyone knows which directory |
I was able to fix the issue of extensions not installing properly to the remote container (company uses a self-signed MITM certificate) for my container (apachepulsar tutorial) with the following: {
"image": "apachepulsar/pulsar:2.7.0",
"forwardPorts": [6650, 8080],
"extensions": ["ms-python.python", "ms-python.vscode-pylance", "ms-vscode.cpptools"],
"mounts": [
"source=pulsardata,target=/pulsar/data",
"source=pulsarconf,target=/pulsar/conf"
],
"containerEnv": {
"http_proxy": "<proxy URL>",
"https_proxy": "<proxy URL>"
},
"postCreateCommand": "cp .devcontainer/mycert.crt /usr/local/share/ca-certificates/ && update-ca-certificates"
} Edit: Seems like in 1.54, the postCreateCommand now runs in the background and doesn't finish before extensions are loaded in the Window. Simplest setup seems to do the cp/update ca portion in a Docker layer, then add |
@urscion, many thanks for sharing! Just my 2¢: If you are using docker-compose to start your dev containers (e.g.
|
HI, @nop-ea i followed your advise and now I have this error during start:
Did you do something else ecept just giving this variable? Thanks! |
@ThePlenkov, the error message indicates that VS Code could not find the certificate file. In my example I just chose some path and filename, so it might different in your case. Here a more complete example - based on a Ubuntu image: First, create your image that will be used in your FROM ubuntu:20.04
# install common CA certicates packages (includes update-ca-certificates command)
RUN apt-get update && apt-get install -y ca-certificates
# copy your additional certificates
COPY ./mycert.crt /usr/local/share/ca-certificates/
# updates file /etc/ssl/certs/ca-certificates.crt
RUN update-ca-certificates The Now you can set the environment variable in your
Other Linux distributions need different commands but the procedure is the same. |
@urscion Does the |
Related to this there is the #5620 |
Seems the root issue here seems to be that the extension host agent running on the container is ignoring |
I worked around this problem by adding NODE_EXTRA_CA_CERTS=/home/mike/ca-bundle.crt to the /etc/environment file on the host I was running vscode-server (remote) on. Then disconnected and reconnected vscode to the remote host. Extensions then loaded without error. I had to get the certificate bundle for our zScaler proxy (our CA Root cert and the signed proxy cert) and I stored that file in my home directory as ca-bundle.crt. Interestingly, I had already appended this cert bundle to /etc/pki/tls/certs/ca-certificates.crt, but it could be that node is expecting the system certs in some other location. In any case, adding a specific file using the environment variable above seems to work. |
So for the benefit of future generations, the nature of the problem here is that node (which vscode server has a packaged binary of) uses it's own, pre-baked certificates for TLS. This means, that when vscode server runs, it uses that same truststore for TLS validation. So even if you have a container where you bake in the certificate (or a server or whatever your remote runs on), it still won't work as that isn't used by node. The solutions above ( Node does support the As a side note, I also had to add |
We have been using VS Code with Remote SSH extensions on servers with self-signed certs for 4 years now without any issues. Any idea why this is popping up as an error now? Is it specificity the just certain extensions? For us, it is the C# Dev Kit extension. |
@xendren With which version did this change? We started loading system certificates on the remote host with VS Code 1.85. (For Remote-WSL and local Dev Containers we also load local certificates.) |
That is what we would like to know. Devs have been on that remote Linux server for about a year. We didn’t start receiving the cert error until they cleared their remote server cache and tried to reinstall the extensions. I cleared my cache and updated to the latest VS Code version, and received the error. It seems more like it used to work fine, but then was broken or something was changed with newer vs code version. |
@xendren Could you check if it works with VS Code 1.84? (Download links at the top of https://code.visualstudio.com/updates/v1_84.) |
Version: 1.45.0
Commit: d69a79b73808559a91206d73d7717ff5f798f23c
Date: 2020-05-07T15:57:33.467Z (5 days ago)
Electron: 7.2.4
Chrome: 78.0.3904.130
Node.js: 12.8.1
V8: 7.8.279.23-electron.0
OS: Darwin x64 18.7.0
I am using a very simple environment using a dockerfile behind a corporate network. I am able to install extensions locally fine without any issues however this fails when attempting to install them within the docker container
.devcontainer.json file:
Dockerfile
When the container is being built I then get the following messages
Note that the container still builds and runs fine, just that when I access it none of the extensions are installed. Though the extensions are all still listed (see screenshot below) and I can click through and manually install them all (with the exception of the python extension that still won't install)
Any advice on how to solve this would be appreciated
The text was updated successfully, but these errors were encountered: