62

Our corporate firewall/proxy is keeping VS Code from being able to install extensions because Code doesn't trust something in the chain. It doesn't reliably give an error, but when it does, it's this: "self signed certificate in certificate chain".

This seems like it's an OpenSSL error, but I don't have enough familiarity with OpenSSL to know how to trust the certificate?

Devin Goble
  • 2,639
  • 4
  • 30
  • 44
  • It is not an error, it is a feature. Self-signed certificates are not to be trusted. This can be overridden in the code by adding as (risky) choice that the user can accept self-signed certificates. – adlag Apr 08 '16 at 20:28
  • 5
    I'm behind a proxy. I don't have much choice but to accept whatever it's serving up. – Devin Goble Apr 08 '16 at 20:37
  • 4
    https://code.visualstudio.com/Docs/supporting/faq#_proxy-server-support says in this case set "http.proxyStrictSSL": false -- did you do that? – dave_thompson_085 Apr 08 '16 at 20:53
  • 2
    @dave_thompson_085: Yes. I get the same error. – Devin Goble Apr 08 '16 at 21:05
  • 1
    I tried the "http.proxyStrictSSL" just today and it worked for me. – Mickaël Derriey Jun 21 '16 at 23:13
  • @dave_thompson_085's answer is correct for me today as well. – Jason Rueckert Jan 09 '17 at 21:50
  • 2
    @adlag No, if it was signed by my organization, there should be a trust store I can add that root cert to. You are thinking of disabling certificate validation entirely ("http.proxyStrictSSL"), which is risky (it shouldn't be done at all, and certainly not permanently), as described below. – brianary Mar 30 '20 at 23:00

10 Answers10

45

This is a terrible answer (not very secure), but appears to be the current Microsoft official answer. Use "http.proxyStrictSSL": false in your settings.json file.

This should work to get around the issue of installing extensions inside a corporate network, but I'd recommend disabling the setting if you are going to be working from home/coffee shop and not connected to the corporate VPN.

https://github.com/Microsoft/vscode/issues/3492

Kas Elvirov
  • 7,394
  • 4
  • 40
  • 62
dragon788
  • 3,583
  • 1
  • 40
  • 49
  • 11
    It might be a terrible answer, but due to the way corporate proxies often work, it is the correct answer. – Devin Goble Mar 03 '17 at 18:54
  • 3
    Still this error - request to https://api-v2v3search-0.nuget.org/autocomplete?q=system.data&prerelease=true&take=100 failed, reason: self signed certificate in certificate chain – Saurabh May 31 '17 at 12:16
  • @Saurabh Is this error coming from Visual Studio or Visual Studio Code? Nuget packages typically don't have anything to do with VS Code which is what we are discussing here. – dragon788 May 31 '17 at 20:55
  • @dragon788 i am using VS code insider , and this error come when i try to add any reference like System.Data – Saurabh Jun 01 '17 at 04:03
  • Unfortunately it doesn't work for me for the extension "JIRA plugin" (when I try to connect to JIRA, it throws this error). Does anyone have a suggestion? – dave0688 Aug 27 '18 at 12:49
  • This worked a while ago but has recently stopped working for me. Any ideas why? – Tim Mar 11 '20 at 23:38
  • Although not the answer for me, this did help me spot that I had an outdated proxy in my settings.json. Worth checking if you're still getting problems. – Caltor Aug 26 '21 at 15:41
  • 1
    Worth noting that if you connect to a remote vscode server, then you should change this setting in the remote `settings.json`. – Sergey Zakharov Sep 24 '21 at 06:49
  • thanks! I've struggled for a long time in my company proxy. the setting helps me to sign in github copilot ! some third-party plugins which needs sign in also works! – hsuanyi-chou Oct 11 '22 at 01:58
33

I was having the same issue, not when installing an extension, but when a certain extension was trying to download data. Adding "http.proxyStrictSSL": false to my settings file did not work. Disabling SSL is also a really bad idea.

The resolution was to install the Visual Studio Code win-ca plugin which makes trusted Windows certificates available to extensions.

taylorsabell
  • 664
  • 5
  • 15
12

There is actually a better way:

Since VS Code is built on Chromium the "proxy settings should be picked up automatically" from Google Chrome/Chromium. So if you add your self-signed certificate in Chrome/Chromium by going to:

  1. chrome://settings/privacy
  2. Manage certificates
  3. Authorities / Import
  4. Select and import your certificate (pem-file)
  5. Restart VS Code

I was able to download VS Code extensions despite being behind a corporate proxy.

Remark: Ubuntu 18.04 and VS Code works only with Chrome and not Chromium.

Wollmich
  • 1,616
  • 1
  • 18
  • 46
tricktron
  • 164
  • 1
  • 2
  • 7
    This worked for me using VS Code under Ubuntu 18.04 two years ago. Now I'm setting up a new PC as well with Ubuntu and it doesn't work anymore. When I'm using the following command I can install extensions in VS Code: `code --ignore-certificate-errors`. In Chromium I'm able to browse the web after adding the CA certificate, but not in VS Code. Any idea? – Wollmich Aug 18 '20 at 14:09
  • It works if install Google Chrome but not with Chromium. – Wollmich Aug 18 '20 at 14:46
  • That is strange. I am using Chromium on PopOS 20.04 which is similar to ubuntu 20.04 and it works. If you try to install an extension in VS Code, what error do you see in the developer console? – tricktron Aug 20 '20 at 13:15
  • I'm getting a `net::ERR_CERT_AUTHORITY_INVALID` error. As soon as I install Chrome and add the proxy CA certificate it works. – Wollmich Aug 20 '20 at 13:23
10

EDIT: Still works in 2021 on Big Sur and Catalina, maybe others

First, make sure that the certificates are installed and trusted (I have them in the System category).

Then, go into VScode settings, Application, Proxy, and UNCHECK the "System certificates" option. Restart vscode and RE-CHECK it. Restart again, and it works.

No idea why you have to do this, but it worked for me. I was very surprised. The error I was getting in the developer console (Help - toggle developer tools - console tab) was "self signed certificate in certificate chain".

Morgus Lethe
  • 340
  • 2
  • 9
4

I had this issue inside WSL2 (Ubuntu). For me, the solution was to add a new environment variable to /etc/environmentcalled NODE_EXTRA_CA_CERTS and add my proxy's certificate to it. This will fix the problem for all Node instances that respect this variable, not just VS Code and/or Electron, which is exactly what I need.

Reference: https://nodejs.org/api/cli.html#node_extra_ca_certsfile

D-Day
  • 141
  • 2
3

I had to add the corporate certificate as a root CA to my local NSS store to get this to work.

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>

See this GitHub issue for more info.

Jeff Piersol
  • 410
  • 3
  • 11
2

I finally have found a solution that works with VS Code for those who still run into issues using win-ca.

For those who use things including GitHub Copilot have a odd reason of not respecting NODE_EXTRA_CA_CERTS system variable and therefore need a little bit more work.

If you already have a .pem file ignore this step and move forward.

Go to your choice of browser and go to: github.com Exporting the certificate as a Base64-encoded ASCII, certificate chain and making sure the extension of the file ends with .pem

Then, setting NODE_EXTRA_CA_CERTS variable into user variable (If set as a System Var will not work) with your included .pem file.

After adding the user variable, go to your VS Code installation and finding the Github Copilot extension folder and then going under the /dist directory.

Open extension.js file in a code editor and add this code to the top of the extensions file.

const tls = require("tls");
const fs = require("fs");

const origCreateSecureContext = tls.createSecureContext;

tls.createSecureContext = options => {
  const context = origCreateSecureContext(options);

  const pem = fs
    .readFileSync(process.env.NODE_EXTRA_CA_CERTS, { encoding: "ascii" })
    .replace(/\r\n/g, "\n");

  console.log(pem);

  const certs = pem.match(/-----BEGIN CERTIFICATE-----\n[\s\S]+?\n-----END CERTIFICATE-----/g);

  if (!certs) {
    throw new Error(`Could not parse certificate ${process.env.NODE_EXTRA_CA_CERTS}`);
  }

  certs.forEach(cert => {
    context.context.addCACert(cert.trim());
  });

  return context;
};

This forces Github Copilot to add self signed certificates and lets it work under proxies and Corporate networks.

Fady Faheem
  • 25
  • 7
1

Try the following steps, which helped me to resolve similar issue:

  1. Open a corporate portal home page in browser and download Root CA certificate. This certificate is usually the first one in the hierarchy of 3 certificates available there. Another option is to ask security team to provide you a corporate Root CA certificate file in Base-64 format.

  2. Right-click the certificate file and select Install Certificate.

  3. Add Windows Environment variable NODE_EXTRA_CA_CERTS with path to this certificate file.

  4. Restart Visual Studio Code and try again.

Vladimirs
  • 11
  • 2
0

I encountered the issue above when opening a proxy tool like Charles. The error disappeared after closing that proxy tool.

liuliang
  • 395
  • 1
  • 3
  • 14
0

I know this is not the best option, but I had to add certificate to Java cacerts.

Mahesh Kumar Chopker
  • 142
  • 4