Need a way to trust root CA certs other than turning off SSL

[southwood]

Currently the only way to run VSCode within a corporate network which uses SSL proxying is to disable SSL entirely. For example, with ZScaler I need to set "http.proxyStrictSSL": false. This is okay as a short-term work-around but not acceptable for general use.

Also, this doesn't seem to work for extensions or within a dev container. The container is configured to trust the CA certs, but it looks like VSCode pulls in host system CAs when installing extensions in the container. This is partially fixed by setting "http.systemCertificates": true as discussed here.

Please implement a setting to configure additional root CA certs. Maybe a setting to specify a cert which would then be loaded via something like this?

[joaomoreno]

Actually the way is clear:

Since Chromium uses the OS's certificate trust infrastructure, the preferred option is to add your proxy's certificate to your OS's trust chain. See the Chromium Root Certificate Policy documentation to learn more.

https://code.visualstudio.com/docs/setup/network#_ssl-certificates

Why not adding those certs to your machine's cert store?

[southwood]

Thanks, @joaomoreno. I have the certs in my machine's cert store. I still see SSL errors when loading extensions

[1645221 ms] Start: Run in container: cd /root/.vscode-server/bin/<>; export VSCODE_AGENT_FOLDER=/root/.vscode-server; /root/.vscode-server/bin/<>/server.sh --extensions-download-dir /root/.vscode-server/extensionsCache --install-extension ms-python.python --force
[1646705 ms] Installing extensions...
[1646706 ms] unable to get local issuer certificate
[1646706 ms] Exit code 1
[1646706 ms] Start: Run in container: ls /root/.vscode-server/extensionsCache || true

It looks like the bash script server.sh invokes a node js script. I have /root/.npmrc configured to also use the appropriate root CA certs in the container. Do you know what the --install-extension runtime would need in order to trust additional CAs?

[joaomoreno]

Oh. The --install-extension runtime has the same problem as extensions... and would need the same fix as microsoft/vscode#12588

There is no current workaround afaik. Maybe @chrmarti would know more.

[chrmarti]

Related: #986

[chrmarti]

Continuing in #2987.

[southwood]

The work-around is setting "http.proxyStrictSSL": false for the context used by remoteExtensionHostAgent.js. You can drop a settings.json somewhere in the .vscode-server directory tree it gets picked up by this.

Instead of toggling this with the settings file it should work with any CAs if you pull the global /root/.npmrc from the docker container. If it has a cafile set, use that regardless of the strictSSL setting that is composed by reading proxy config from settings.json. The way it is currently implemented prevents a solution where SSL stays enabled.