vscode: Github authentication fails with "certificate has expired"

[edit March 2021] I found a workaround but it requires lowering a security setting: https://github.com/microsoft/vscode/issues/97434#issuecomment-798972281

Issue Type: Bug

  1. open a repository that requires github authentication
  2. trigger a command such as git pull to trigger authentication
  3. accept in the browser, which returns back to vscode (happens both when I allow the URL scheme and when I copy/paste the token into the “signing into” prompt)
  4. I see Error: certificate has expired.

The github authentication output doesn’t say much:

[Info  - 00:08:30.34] Logging in...
[Info  - 00:08:40.313] Exchanging code for token...
[Error  - 00:08:41.515] Error: certificate has expired

I first reported this 4 months ago on the GitHub Pull Requests extension: https://github.com/microsoft/vscode-pull-request-github/issues/1474

The issue appears to be identical (except there’s no stack trace this time). There are other users who commented on my report with the same or similar issues.

Now that authentication has moved to VSCode core I guess the report belongs here, particularly since it is reproducible with all extensions disabled.

I don’t know if this is relevant, but I normally use SSH authentication to GitHub; git actions do not require authentication but extension actions do. I did a separate clone using HTTPS just to verify the issue happens for core actions as well.

VS Code version: Code 1.45.0 (d69a79b73808559a91206d73d7717ff5f798f23c, 2020-05-07T15:57:33.467Z) OS version: Darwin x64 19.4.0

System Info
Item Value
CPUs Intel® Core™ i7-6567U CPU @ 3.30GHz (4 x 3300)
GPU Status 2d_canvas: enabled
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
metal: disabled_off
multiple_raster_threads: enabled_on
oop_rasterization: disabled_off
protected_video_decode: unavailable_off
rasterization: enabled
skia_renderer: disabled_off_ok
video_decode: enabled
viz_display_compositor: enabled_on
viz_hit_test_surface_layer: disabled_off_ok
webgl: enabled
webgl2: enabled
Load (avg) 4, 5, 4
Memory (System) 16.00GB (0.93GB free)
Process Argv –disable-extensions .
Screen Reader no
VM 0%
Extensions disabled

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 5
  • Comments: 21 (2 by maintainers)

Most upvoted comments

I just fixed a similar problem with a different extension after this issue clued me in that the problem was profile specific (this article was also a helpful clue).

Steps:

  1. Open up Keychain Access
  2. View > Show Expired Certificates
  3. Sort the login keychain by expire date
  4. Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
  5. Delete those certificates

I think the issue was that for some reason my Mac keychain held on to an expired certificate and VSCode — or the version of node bundled into Electron in VSCode — for some reason was relying on that expired certificate ahead of the rest of the certificates available on my machine as part of the default root authorities — which is why openssl and browsers were able to connect to the server, but not VSCode, until the expired certificates were removed entirely from my login keychain.

+5
samsawyer on Apr 1, 2021

I am seeing the same error now with recent vscode:

Version: 1.45.1 Commit: 5763d909d5f12fe19f215cbfdd29a91c0fa9208a Date: 2020-05-14T08:33:47.663Z (1 wk ago) Electron: 7.2.4 Chrome: 78.0.3904.130 Node.js: 12.8.1 V8: 7.8.279.23-electron.0 OS: Darwin x64 19.4.0

+4
Morriz on May 26, 2020

I was able to work around the issue by temporarily dropping the security settings. I ran NODE_TLS_REJECT_UNAUTHORIZED=0 code in the terminal, signed in, then quit and reloaded it the normal way. The extension still works, so it’s just the connection to vscode-auth.github.com that is failing.

I found #102252 which suggests this was an electron problem but fixed in October. I tried running openssl s_client -showcerts -servername vscode-auth.github.com -connect vscode-auth.github.com:443 and it connected successfully, confirming this is an issue specific to my vscode configuration not a general machine problem.

+2
TheSpyder on Mar 14, 2021

Thanks for the tip @samsawyer! I can confirm deleting certificates that expired in May 2020 resolved it for me too.

I figured it had to be profile specific, since it worked on a fresh install, but my research pointed to NodeJS using a custom certificate list not the system keychain. I’m very happy to see a workaround after so long without this.

I’m leaving the issue open because I believe vscode should provide a better error for this, at the very least.

+1
TheSpyder on Apr 2, 2021

I can confirm that @samsawyer 's trick worked for me. I had about 8 expired certificates. Once deleted I was able to connect with github 🎉. Thanks @samsawyer

+1
marcandre on Apr 1, 2021

Just so this isn’t marked as inactive again, this still happens on VSCode insiders and release for me. But only on the migrated profile. Here’s a screenshot: Screen Shot 2021-03-04 at 7 28 57 pm

+1
TheSpyder on Mar 4, 2021

I expected as much, because the other ticket has had only a few people respond in the months since I logged it. I am not using GitHub enterprise, just standard GitHub (the same account I’m logging this ticket with). The auth website loads fine in my browser and I have tried multiple browsers.

I fully expect it is something specific about my macOS configuration, I have tried this on both home and work internet so it probably isn’t a firewall issue. I’m happy to run any diagnostic tool you need to help track this down. Here’s a video recording of what I see: Screen Recording 2020-05-17 at 3.38.57 pm

+1
TheSpyder on May 17, 2020
Read more comments on GitHub
← vscode: Git: Repository not detected if root folder ends in [space]
vscode: GitHub Commit error after June VS Code update →