AWS CodeWhisperer for Visual Studio - self-signed certificate in certificate chain

[kmillerdevx3]

Describe the bug

Upon installing the AWS Toolkit and setting up CodeWhisperer to provide suggestions, no suggestions appear and the following message appears in the log every time a suggestion is requested with Alt-C:

Info: [2024-03-11T19:57:11.210Z] Recommendation failure: NetworkingError: self-signed certificate in certificate chain

This machine is on our corporate network, which uses self-signed certs for a number of services. Although I'm not certain, I believe the specific one in this case may be for NetSkope.

Many tools have an option to ignore self-signed certificate errors, but the AWS Toolkit settings pane does not appear to offer any such option.

To Reproduce

• Launch Visual Studio
• Open a code file where you want suggestions
• Click the CodeWhisperer icon in the bottom toolbar and sign in
• Press Alt-C to attempt to generate a recommendation

Expected behavior

CodeWhisperer allows self-signed certificates and generates code suggestions.

Toolkit Logs

Amazon Web Services log

AWS Toolkit for Visual Studio
Toolkit Version: 1.49.0.0
Visual Studio: VS Enterprise 2022, Version: 17.9.2

Initializing: Amazon CodeWhisperer Language Client
Launching CodeWhisperer Language Server v0.1.2 from local cache location: C:\Users\****\AppData\Local\aws\toolkits\language-servers\CodeWhisperer\0.1.2\aws-lsp-codewhisperer.exe (Attribution notice for aws-lsp-codewhisperer.exe can be found at: https://aws-language-servers.us-east-1.amazonaws.com/032e3dcc-a411-4917-8785-aada4bfb8642/THIRD_PARTY_LICENSES)
Activating: Amazon CodeWhisperer Language Client
Initialized: Amazon CodeWhisperer Language Client
AWS IAM Identity Center Log in flow started for Credentials: ****
Signed in to CodeWhisperer with Profile:****.
CodeWhisperer's automatic suggestions will be displayed.

Amazon CodeWhisperer Language Client logs

Info: [2024-03-11T19:52:19.172Z] Codewhisperer server has been initialised
Info: Runtime: Initializing runtime with encryption
Error: (node:39652) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `aws-lsp-codewhisperer --trace-warnings ...` to show where the warning was created)
Info: Runtime: Registering IAM credentials update handler
Info: Runtime: Registering bearer credentials update handler
Info: [2024-03-11T19:52:19.223Z] Configuration updated to include suggestions with code references
Info: [2024-03-11T19:52:19.223Z] Configuration updated to share code whisperer content with AWS
Info: Runtime: Decoding encrypted credentials token
Info: Decoding JWT token
Info: Runtime: Successfully saved bearer credentials
Info: Runtime: Connection metadata updated
Info: [2024-03-11T19:53:13.974Z] Recommendation failure: NetworkingError: self-signed certificate in certificate chain
Info: [2024-03-11T19:56:56.691Z] Recommendation failure: NetworkingError: self-signed certificate in certificate chain
Info: [2024-03-11T19:56:59.558Z] Recommendation failure: NetworkingError: self-signed certificate in certificate chain
Info: [2024-03-11T19:57:11.210Z] Recommendation failure: NetworkingError: self-signed certificate in certificate chain

Development System (please complete the following information):

• Windows Version: 10.0.19045
• Visual Studio Version: 2022 (17.9.2)
• AWS Toolkit for Visual Studio Version: 1.49.0.0

[floralph]

Thanks for bringing this issue to our attention. Do you have CAs registered on your Windows workstation for the self-signed certificates? Can you provide more detail on how you narrowed it down to NetSkope?

[kmillerdevx3]

Our corporate ones do, yes. The reasons I focused on NetSkope were:

• We just recently switched from another product to NetSkope and are still working through various issues with the transition, and
• It was the only one that stood out to me in the list of certs as being both self-signed and not part of our corporate trust

[floralph]

The CodeWhisperer feature utilizes NodeJS, which is where the networking error appears to be originating. As a workaround for now, you could try using NodeJS' own command line args to bypass the check as you were interested in doing in your original post.

You could try to set NODE_OPTIONS=--use-openssl-ca either as a system environment variable or from the context in which you launch Visual Studio. This may bypass the check and the error.

[kmillerdevx3]

--use-openssl-ca doesn't seem to have any effect.

I'm not sure if this is relevant, but CodeWhisperer / Amazon Q running in VSCode on the same machine works just fine out of the box. So it's definitely something specific to Visual Studio.

Since you mentioned NodeJS, I have also tried with both Node 16.13 and 18.16 to see if the Node version was relevant.

[shruti0085]

The issue is not replicable in VScode since unlike the AWS Toolkit for VSCode, the CodeWhisperer feature in Visual Studio utilizes a language server with NodeJS runtime.

Based on your previous comment it seems like the cert you are using might be misconfigured, which is probably the reason for the error you are seeing.

Once the cert is correctly configured and trusted, please reach out if you are still running into issues.

[golflover]

We are seeing the same "self-signed certificate in certificate chain" messages in Visual Studio 2022 and our organisation is also using NetSkope. I've checked the certificate, and it looks correctly configured. Locally, the certificate is stored in the Intermediate Certificate Authorities folder. Is there anything else we should be checking for? Likewise, the VScode plugin works correctly.

[kmillerdevx3]

Based on your previous comment it seems like the cert you are using might be misconfigured, which is probably the reason for the error you are seeing.

Once the cert is correctly configured and trusted, please reach out if you are still running into issues.

NetSkope is our corporate VPN/ZTN provider, so this is not something that I as a developer / user have any control over. Would be nice if the VS plugin provided a way to specify a flag (such as in configuration) to ignore these errors.

[shruti0085]

Another thing to try in addition to the above mentioned workaround is to try setting env variable NODE_EXTRA_CA_CERTS=%path to cert file% either as a system environment variable or from the context in which you launch Visual Studio. This may also help bypass the check and the error.

We'd recommend trying this with a test/dev environment only.

[kmillerdevx3]

Another thing to try...

This did not have any effect either.

I'm currently in discussions with our NetSec team to see if they have any workarounds for this issue.

[kmillerdevx3]

I'm not sure if this is an improvement, but I'm not getting the "self-signed certificate" error anymore.

Instead, now I'm getting NetworkingError: unable to get local issuer certificate

I notice that, as of two days ago, the CodeWhisperer language server was updated to 1.0.0, from 0.1.2 that was installed previously.

[kmillerdevx3]

I'm going to go ahead and close this - with the language server update to 1.0.0, it now seems to honor the environment variables mentioned above.

NODE_OPTIONS = --use-openssl-ca
NODE_EXTRA_CA_CERTS = Path/To/Corporate/Certs

With these both in place, I am able to get CodeWhisperer suggestions now.