vscode: Unable to install extensions via proxy, even --ignore-certificate-errors no longer works
- VSCode Version: 1.40.1-1573664190
- OS Version: Debian 9.4
Steps to Reproduce:
- Launch code while behind a proxy which decrypts all traffic
- Attempt to search for an extension
Does this issue occur when all extensions are disabled?: Yes
I can see in the network developer tools that this is a certificate issue, the output is: marketplace.visualst…ry/extensionquery:1 Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID
More precisely, this looks like an issue caused by strict transport security being enforced and/or a 3rd party certificate mechanism and I can’t see a way of disabling or working around. If someone can tell me the relevant place for vscode to use the proxy’s certificate or somehow disable this, I (and the developers who use these systems) would be very grateful. It doesn’t seem to be using the system certs in /etc/ssl/certs that are added after running update-ca-certificates
I was working around this problem on a previous release by launching using: code --ignore-certificate-errors However, at some point a new release causes the message: Option ‘ignore-certificate-errors’ is unknown. Ignoring.
setting http_proxy and https_proxy system environment variables and setting “http.proxy” within vscode makes no difference, neither does “http.proxyStrictSSL”: false,
I have added the root certificate CA which allows wget to grab extensions but this isn’t a solution on multiple shared systems where extensions are being updated regularly.
user@host:/home/user/> wget https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/python/2020.3.69010/vspackage Will not apply HSTS. The HSTS database must be a regular and non-world-writable file. ERROR: could not open HSTS store at ‘/home/user/.wget-hsts’. HSTS will be disabled. –2020-03-27 17:36:40-- https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/python/2020.3.69010/vspackage Connecting to 185.46.212.32:9443… connected. Proxy request sent, awaiting response… 200 OK Length: 28090788 (27M) [application/vsix] Saving to: ‘vspackage’
vspackage 100%[=================================================================================================================================================================================>] 26.79M 9.15MB/s in 2.9s
2020-03-27 17:36:47 (9.15 MB/s) - ‘vspackage’ saved [28090788/28090788]
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 26 (18 by maintainers)
Commits related to this issue
- Fix typo (#93595) — committed to microsoft/vscode by chrmarti 4 years ago
- Allow --log-net-log (#93595) — committed to microsoft/vscode by chrmarti 4 years ago
- Include HTTP_PROXY and NO_PROXY (#93595) — committed to microsoft/vscode by chrmarti 4 years ago
Its bit difficult to solve this, since node doesn’t care about NSS db we will write our own native module which would essentially be a wrapper around https://source.chromium.org/chromium/chromium/src/+/master:net/cert/nss_cert_database.h to allow importing client certificates to the shared NSS db.
I think we can better surface the error with a notification
net::ERR_CERT_AUTHORITY_INVALIDusing https://github.com/electron/electron/blob/master/docs/api/app.md#event-certificate-error and ask users to add certificate in the NSS db with https://chromium.googlesource.com/chromium/src/+/lkgr/docs/linux/cert_management.md#add-a-certificate@deepak1556 My change only picks up the
http.proxysetting - not the environment variables. We could add that. (And add--log-net-logto the list of valid command line options.)