"unable to get local issuer certificate" attempting to install extensions into dev container by code-server on dev container build #187716
Comments
djjlewis
changed the title
chrmarti
added
bug
|
As a workaround you could try setting |
|
Amazing.. that seems to have fixed it for now, thanks! |
|
I get the same issue with zscaler when trying to install and extension from the command line e.g. $ code --install-extension Shopify.ruby-lsp Installing extensions...
unable to get local issuer certificate
Failed Installing Extensions: shopify.ruby-lspIts strange because if I start the gui and then install the extension with clicks it works fine. |
|
I am having this same exact issue only I'm on MacOS. I tried all the tricks the OP suggested - all to no avail. I also tried adding: "containerEnv" {
"NODE_EXTRA_CA_CERTS": "/usr/share/ca-certificates/zscaler/ZscalerRootCertificate-2048-SHA256.crt"
},I am not sure if setting this env var takes place before/after the ...to the The only way I could get the dev container built was to totally exit ZScaler, but we're not really supposed to do that. I also tried adding: COPY ZscalerRootCertificate-2048-SHA256.crt /usr/share/ca-certificates/zscaler/
RUN echo "zscaler/ZscalerRootCertificate-2048-SHA256.crt" >> /etc/ca-certificates.conf \
&& update-ca-certificates
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt...to the |
|
@wolfch-elsevier Maybe check if |
|
@chrmarti I thought the devcontainer features were being installed from within the container, but no - it's part of the image building process, so the host needs the extra cert configured. So I just needed to set: Then run "devcontainer up". but I'll leave the setting |
This solves a problem I've been struggling with for months. I am wishing the documentation on these sorts of fixes were more readily available for those of us behind a proxy. |
|
More details: https://code.visualstudio.com/docs/setup/network#_legacy-proxy-server-support Specific GitHub issues tracking the feature improvements to make this work properly: |
In a VS Code extension debug host on Linux, all GraphQL requests fail with a TLS error `cannot find local issuer certificate`. This fixes that issue. This started occurring for me on VS Code 1.93.0. I can't find anything about it online, although microsoft/vscode#187716 *might* be related. This fix seems harmless and has been a long-recommended way of adding CAs anyway (https://stackoverflow.com/questions/68896243/how-to-properly-configure-node-js-to-use-self-signed-root-certificates).
In a VS Code extension debug host on Linux, all GraphQL requests fail with a TLS error `cannot find local issuer certificate`. This fixes that issue. This started occurring for me on VS Code 1.93.0. I can't find anything about it online, although microsoft/vscode#187716 *might* be related. This fix seems harmless and has been a long-recommended way of adding CAs anyway (https://stackoverflow.com/questions/68896243/how-to-properly-configure-node-js-to-use-self-signed-root-certificates). ## Test plan On Linux, run Cody in the debug extension host and ensure that the chat window signs in upon initial load.
@wolfch-elsevier I've the same problem with extensions on latest vscode! Where do I place the export statement to get it working? |
worked for me on a mac arm |
Does this issue occur when all extensions are disabled?: N/A
Steps to Reproduce:
In this case the extensions are not installed.
I can confirm that extensions are fine to be installed when in the local VS Code environment.
There are also no problems when installing from a WSL remote session.
Interestingly, I can also install the extensions once I am inside the dev container.
The problem seems to be specifically with this
code-servercommand:/home/vscode/.vscode-server/bin/660393deaaa6d1996740ff4880f1bad43768c814/bin/code-server --log debug --force-disable-user-env --server-data-dir /home/vscode/.vscode-server --use-host-proxy --telemetry-level all --accept-server-license-terms --host 127.0.0.1 --port 0 --connection-token-file /home/vscode/.vscode-server/data/Machine/.connection-token-660393deaaa6d1996740ff4880f1bad43768c814 --extensions-download-dir /home/vscode/.vscode-server/extensionsCache --install-extension jebbs.plantuml --install-extension yzhang.markdown-all-in-one --install-extension DavidAnson.vscode-markdownlint --install-extension shd101wyy.markdown-preview-enhanced --install-extension darkriszty.markdown-table-prettify --install-extension marvhen.reflow-markdown --start-server --disable-websocket-compressionIf I run this manually from the terminal inside the dev container, I can see the following certificate errors:
I can only assume this is related to the fact I am using a corporate device that is configured to use Zscaler with custom Root CA installed. (testing no a personal device with same dev container is fine)
If I try the same command but use
codeinstead ofcode-server, then the extensions install fine. If I install them from the Extensions pane in the UI, they also install OK. It just seems to be code-server that causes this issue.I note there is parameter
--use-host-proxyI have tried removing this, but still have the same issue.I have tried numerous proxy settings, both on the host and the dev container, either explicitly setting a proxy address, or leaving blank, disabling completely and using combinations of
"http.proxyStrictSSL": false/"http.proxyStrictSSL": true"I have also tried installing the Zscaler Root CA and intermediate certificates directly in the dev container by copying
.crtfiles into/usr/local/share/ca-certificatesand runningupdate-ca-certificates. They are already installed on my Windows laptop and I have tried thewin-caextension to either append or replace. Downloading the extensions from the dev container using either curl or wget also works fine.Nothing I have tried seems to be able to get rid of the unable to get local issuer certificate message when the extensions are attempted to be installed by code-server.
Any thoughts / assistance / guidance greatly appreciated!
The text was updated successfully, but these errors were encountered: