UNABLE_TO_VERIFY_LEAF_SIGNATURE

[jmarandet]

Hi,

I have a .jenkins file specifying the url, username and token of my project. But when I launch "Jenkins: Update status" command the control bar shows the following warning

The Jenkins site certificate was issued by a self-signed corporate PKI, and added to the OS. Every web client on my computer works fine with it, the authority is registered. For example I can see that Chrome shows a green lock, so the authority is correctly recognized.

I have tried the following :

• configure my workspace settings with "http.proxyStrictSSL" : false
• set the propper http.proxy:
• launch the editor with the command "C:\Program Files\Microsoft VS Code\Code.exe" --ignore-certificate-error

Without any success. Do you have any suggestion ?

[tomuta]

I have the same problem with a thawte certificate.

[Miminoux]

Hi, I was working on this topic with @jmarandet and we found that adding our PKI to the OS proxy permited the plugin to reach jenkins properly. I don't remember the correct terms but here is what I think happens :

• When my browser goes to https://jenkins.intern.mycompany using our proxy, it asks "an HTTPS connection to jenkins.intern.mycompany" to the proxy which connects without being a man in the middle. In this way, there is no certificate issues.
• When the plugin tries to reach the same URL using the proxy, it asks to the proxy "to perform the request for him". When connecting to jenkins.intern.mycompany with HTTPS, the active ssl layer is the one on the proxy which did't used to know our PKI (used to sign jenkins.intern.mycompany).

Of course adding our own PKI onto our proxy is not a bad idea. Anyway I think the plugin (or vscode ? I'm not an expert) should not use that dummy "make that request for me plz" way of using a proxy but rather the "open that connection for me plz".

I'm only guessing here, I can't get into the code, it's just a hint, good luck.

This page helped me : https://www.npmjs.com/package/ssl-root-cas And particularly : Common Errors CERT_UNTRUSTED - the common root CAs are missing, this module fixes that. UNABLE_TO_VERIFY_LEAF_SIGNATURE could be either the same as the above, or the below unable to verify the first certificate - the intermediate certificate wasn't bundled along with the server certificate, you'll need to fix that

Reading this, I thought that maybe a root CA (our PKI in my case) was missing somewhere. Knowing it was good on my computer, I thought of the proxy.

@tomuta : maybe you should check if any root certificate update on your proxy is possible ?

[alefragnani]

Hi,

First of all, sorry for taking so long to appear. I had other priorities at the moment, and didn't have the time to give attention to this 😢 .

I would like to know if @Miminoux answer has helped @jmarandet and @tomuta. If not, what do you think I could add to the extension to fix the issue.

I'm not an auth/cert expert, and I use Jenkins only in basic auth (username/password) scenarios, so any help in making this more complex scenario would be greate.

Thanks

[jmarandet]

@alefragnani . Yes, @Miminoux 's answer solved my issue.