vscode: Happened Again - Requests to servers using letsencrypt's new root certificate fail verifiction

Does this issue occur when all extensions are disabled?: Yes/No

VS Code Version: 1.62.1
OS Version: Windows_NT x64 10.0.18362

More details:

Version: 1.62.1 (user setup) Commit: f4af3cbf5a99787542e2a30fe1fd37cd644cc31f Date: 2021-11-05T10:57:55.946Z Electron: 13.5.2 Chrome: 91.0.4472.164 Node.js: 14.16.0 V8: 9.1.269.39-electron.0 OS: Windows_NT x64 10.0.18362

Steps to Reproduce:

The same steps as the problems: #134244 and #134245.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 28
Comments: 22 (8 by maintainers)

Commits related to this issue

Add warning about configuration needed to be able to make api calls Refer to this issue for more info: https://github.com/microsoft/vscode/issues/136787 Settings changed are the following: https://git... — committed to codeurjc-students/2019-VSCode4Teaching by ivchicano 3 years ago
Automatically set http.systemCertificates: false as a workaround With the setting on (the default), Electron will pull in the expired DST Root CA X3 certificate from the OS, and prefer it over the no... — committed to SpaceManiac/vscode-dm-langclient by SpaceManiac 3 years ago

Most upvoted comments

As a workaround, it seems to work if the user sets this option in user settings in VSCode

"http.systemCertificates": false,

On Windows 10 our extension can’t make api calls unless the user changes this setting

+16

ivchicano on Nov 15, 2021

I have linked this issue to the Electron 16 update PR. As for timeline, Electron 16 is planned for insiders testing in December 2021 milestone.

deepak1556 on Nov 23, 2021

Sorry for the delay in getting back to this issue, firstly I was able to confirm the issue on windows. Based on https://github.com/microsoft/vscode/issues/136787#issuecomment-968771447 it seems application adds root CA from the OS to the node network stack used in the extension host by https://github.com/microsoft/vscode/issues/52880.

As explained in https://github.com/microsoft/vscode/issues/136787#issuecomment-964627419 due to the fix implemented in Electron versions <= 15, building certificate chains from the OS that carries the expired DST Root CA X3 certificate will fail.

I would suggest to use the setting http.systemCertificates: false till we update to Electron 16 which we are actively looking into.

deepak1556 on Nov 15, 2021

Same issue, server-rendered preview in the PlantUML extension (jebbs.plantuml) is broken due to this error.

Version: 1.62.1 (user setup) OS: Windows_NT x64 10.0.19042

a-bronx on Nov 11, 2021

confirmed working in 1.66, thanks ❤️

larshp on Mar 31, 2022

Did not make it into the January release, hoping for February 🤩

larshp on Feb 4, 2022

I removed the expired DST Root CA X3 from the windows trust store and it solved the issue for me. (I didn’t set http.systemCertificates: false).

Windows will automatically refetch the cert, so removal isn’t a option.

viceice on Jan 28, 2022

@deepak1556 thanks, looking at https://github.com/microsoft/vscode/issues/136630 it seems like Electron 16 update is not part of this iteration? I’m not sure how much effort it is, but are we looking at half a year, or few months ahead?

larshp on Nov 16, 2021

Same issue, server-executed symbolic execution of rust-based smart contracts with SafePKT extension (v0.2.10), broken due to this error.

Version: 1.62.1 OS: Ubuntu 20.10

Thank you @AlencarGabriel for having reported this issue in the first place!

thierrymarianne on Nov 15, 2021

I am also seeing the same issue on Windows. It popped up as soon as vscode upgraded to 1.62.1. My extension can’t make any api calls because of it. My coworker on a Mac also cannot reproduce the issue.

scottmollon-invicara on Nov 10, 2021