EQAVS1007E -self signed certificate error

[AARPETERSON]

👉🏻 Issue text goes here.

EQAVS1007E Message received: self signed certificate

From client: initialize({"clientID":"vscode","clientName":"Visual Studio Code","adapterID":"IBMiDebug","pathFormat":"path","linesStartAt1":true,"columnsStartAt1":true,"supportsVariableType":true,"supportsVariablePaging":true,"supportsRunInTerminalRequest":true,"locale":"en","supportsProgressReporting":true,"supportsInvalidatedEvent":true,"supportsMemoryReferences":true,"supportsArgsCanBeInterpretedByShell":true,"supportsMemoryEvent":true}) To client: {"seq":0,"type":"response","request_seq":1,"command":"initialize","success":true,"body":{"supportsEvaluateForHovers":true,"supportsSetVariable":true,"supportsValueFormattingOptions":true,"supportsModulesRequest":true,"supportTerminateDebuggee":true,"supportsFunctionBreakpoints":true,"supportsConfigurationDoneRequest":true}} From client: launch({"type":"IBMiDebug","request":"launch","subType":"sep","action":"set","name":"Service Entry Point","user":"APETERSON","host":"SILVERLAKE.JHACORP.COM","port":8005,"sepDaemonPort":8008,"secure":true,"ignoreCertificateErrors":false,"library":"AARONP","program":"DD5007","programType":"PGM","module":"ALL","procedure":"*ALL","trace":true,"workbenchSettings":{"updateProductionFiles":false,"enableDebugTracing":false,"connection":{"connectionPort":8001}},"__sessionId":"387aa6f3-efeb-412c-8fa1-f343f38915ba"}) EQAVS1007E SILVERLAKE.JHACORP.COM on port 8005 could not be connected. Message received: self signed certificate To client: {"seq":0,"type":"event","event":"output","body":{"category":"stderr","output":"EQAVS1007E SILVERLAKE.JHACORP.COM on port 8005 could not be connected.\nMessage received: self signed certificate\n"}} EQAVS1007E SILVERLAKE.JHACORP.COM on port 8005 could not be connected. Message received: self signed certificate To client: {"seq":0,"type":"response","request_seq":2,"command":"launch","success":false,"message":"EQAVS1007E SILVERLAKE.JHACORP.COM on port 8005 could not be connected.\nMessage received: self signed certificate","body":{"error":{"id":9999,"format":"EQAVS1007E SILVERLAKE.JHACORP.COM on port 8005 could not be connected.\nMessage received: self signed certificate","showUser":true}}}

---

Context	Version
Code for IBM i version	2.12.0
Visual Studio Code version	1.75.1
Operating System	win32_x64

Active extensions

``` .NET Install Tool (vscode-dotnet-runtime): 2.1.1 COBOL (cobol): 9.3.2 Code for IBM i Walkthroughs (vscode-ibmi-walkthroughs): 0.5.0 Configuration Editing (configuration-editing): 1.0.0 Db2 for IBM i (vscode-db2i): 1.0.0 Emmet (emmet): 1.0.0 Error Lens (errorlens): 3.8.0 Extension Authoring (extension-editing): 1.0.0 Git (git): 1.0.0 Git Base (git-base): 1.0.0 GitHub (github): 0.0.1 GitHub Authentication (github-authentication): 0.0.2 IBM i Debug (ibmidebug): 2.0.1 IBM i Notebooks (vscode-ibmi-notebooks): 0.0.6 IBM i Project Explorer (vscode-ibmi-projectexplorer): 2.11.0 JSON Language Features (json-language-features): 1.0.0 Merge Conflict (merge-conflict): 1.0.0 Microsoft Account (microsoft-authentication): 0.0.1 NPM support for VS Code (npm): 1.0.1 Node Debug Auto-attach (debug-auto-launch): 1.0.0 RPGLE (vscode-rpgle): 0.26.8 Server Ready Action (debug-server-ready): 1.0.0 TODO Highlight (vscode-todo-highlight): 1.0.5 TypeScript and JavaScript Language Features (typescript-language-features): 1.0.0 WSL: Recommender (remote-wsl-recommender): 0.0.18 ```

---

Remote system

|Setting|Value| |-|-| |IBM i OS|V7R4M0| |Tech Refresh|9| |CCSID Origin|65535| |Runtime CCSID|37| |Default CCSID|37| |SQL|Enabled |Source dates|Disabled ### Enabled features |/QOpenSys/pkgs/bin|/usr/bin|/QSYS.lib/ILEDITOR.lib|/QSYS.LIB|/QIBM/ProdData/IBMiDebugService/bin| |-|-|-|-|-| |bash|attr|GETNEWLIBL.PGM|QZDFMDB2.PGM|startDebugService.sh| |chsh|iconv|||| |ls|setccsid|||| |md5sum|tar|||| |sort||||| |stat||||| |tn5250|||||

Shell env

Variants

```json { "american": "#@$", "local": "#@$" } ```

Errors

```json [ { "command": "/QOpenSys/usr/bin/qsh", "code": 1, "stderr": "CPF2111: Library ILEDITOR already exists.\nCPC2206: Ownership of object QZSHSYSTEM in QTEMP type *USRSPC changed.", "cwd": "/home/APETERSON" } ] ```

[sebjulliand]

Go to the IBM i Debugger view, right click on the Debug Service item and select this option:

Then restart the Debug Service.

If a warning sign appears next to the Debug Service item after that, expand it and click on the suggested action.

[AARPETERSON]

Any other troubleshooting tips for this? I have regenerated the certificates, ended/restarted the debug service, then reloaded the connection to the IBM i.

I have both the debug server and service running, and can confirm such in the VS Code extension. No warnings to display.

CodeForIBMi.txt DebugServiceEclipseInstance.txt

[sebjulliand]

@AARPETERSON you can try to access the Debug Service on port 8005 using a web browser, just for the sake of displaying the certificate information. In your case, access https://SILVERLAKE.JHACORP.COM:8005

Your browser will warn you that the connection is not secure because the certificate is self-signed. At this point, you'll be able to display the certificate. In the certificate details, look for the "Subject alternate names", there should be two DNS names and one IP address. Check that one of these DNS name matches the one you use to connect from Code for IBM i.

[AARPETERSON]

It does appear that the DNS names and IP address listed in this certificate match what I am expecting to see. The system DNS and IP address match exactly the ACS emulator sessions as well as connection VS Code makes over SSH.

[arco400]

Hi. I can confirm having exactly the same issue. I am connecting with the full FQDN and also have regenerated the certificates but no luck.

[AARPETERSON]

I have been working on a manual workaround for this.. Trying to get certificate generated via trusted CA and deploy them for this web service. I have been able to reverse engineer most of the steps the debug API uses to come up with a list of manual steps that can be taken to generate actual CA signed certs for this. I am very close. I have gotten to the point of being able to get the service started outside of the extension itself.

[arco400]

@AARPETERSON thanks for the update. Hopefully it can be solved by the team instead of worked around :-) My workaround is to keep debugging in RDI which by the way I still works very well for SEP debugging.

[sebjulliand]

I have been working on a manual workaround for this.. Trying to get certificate generated via trusted CA and deploy them for this web service. I have been able to reverse engineer most of the steps the debug API uses to come up with a list of manual steps that can be taken to generate actual CA signed certs for this. I am very close. I have gotten to the point of being able to get the service started outside of the extension itself.

@AARPETERSON have a cert signed by a trusted CA is definitely a great idea. Once you have that certificate, you can use the extension to import and install it on the remote server for you. As for starting the Service outside of VS Code, this is described in the documentation if you need some inspiration.

[AARPETERSON]

I didn’t know it was possible to install my own certificate via the extension. How do I do this?

---

From: Sébastien Julliand @.> Sent: Saturday, August 31, 2024 11:20:39 AM To: codefori/vscode-ibmi @.> Cc: Aaron Peterson @.>; Mention @.> Subject: Re: [codefori/vscode-ibmi] EQAVS1007E -self signed certificate error (Issue #2190)

External Email -

I have been working on a manual workaround for this. . Trying to get certificate generated via trusted CA and deploy them for this web service. I have been able to reverse engineer most of the steps the debug API uses to come up with a list of ZjQcmQRYFpfptBannerStart This Message Is From an External Sender Do not open attachments or click links from an unknown source. Forward suspicious emails to Anti-Spam.

ZjQcmQRYFpfptBannerEnd

I have been working on a manual workaround for this.. Trying to get certificate generated via trusted CA and deploy them for this web service. I have been able to reverse engineer most of the steps the debug API uses to come up with a list of manual steps that can be taken to generate actual CA signed certs for this. I am very close. I have gotten to the point of being able to get the service started outside of the extension itself.

@AARPETERSONhttps://urldefense.com/v3/__https://github.com/AARPETERSON__;!!AjeAU-2VoVEOzw!cRIxtjOkHXrp59knel50AreOlxnZjW-J2WngcEyodXcu5bz5OLa5D_8VqS55aZcCjXqZJnQ0Ho_hyg8eJ-wLlFc9bUGF$ have a cert signed by a trusted CA is definitely a great idea. Once you have that certificate, you can use the extension to import and install it on the remote server for you. As for starting the Service outside of VS Code, this is described in the documentationhttps://urldefense.com/v3/__https://codefori.github.io/docs/developing/debug/*starting-the-debug-service-outside-of-code-for-ibm-i__;Iw!!AjeAU-2VoVEOzw!cRIxtjOkHXrp59knel50AreOlxnZjW-J2WngcEyodXcu5bz5OLa5D_8VqS55aZcCjXqZJnQ0Ho_hyg8eJ-wLlBfNslOO$ if you need some inspiration.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/codefori/vscode-ibmi/issues/2190*issuecomment-2322952375__;Iw!!AjeAU-2VoVEOzw!cRIxtjOkHXrp59knel50AreOlxnZjW-J2WngcEyodXcu5bz5OLa5D_8VqS55aZcCjXqZJnQ0Ho_hyg8eJ-wLlLnEoj6I$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/BA6SKEGCS6EPREXZU5HOF5LZUHUNPAVCNFSM6AAAAABLIYVEJWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRSHE2TEMZXGU__;!!AjeAU-2VoVEOzw!cRIxtjOkHXrp59knel50AreOlxnZjW-J2WngcEyodXcu5bz5OLa5D_8VqS55aZcCjXqZJnQ0Ho_hyg8eJ-wLlD9S5od-$. You are receiving this because you were mentioned.Message ID: @.***>

NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies.

[sebjulliand]

From the IBM i Debugger view, right click on the Debug Service and select Regenerate Service Certificate

Then select Import.

A file selection dialog will ask you to choose a PKCS12 certificate file (.pfx file), then you'll be prompted to enter the certificate's password. Then the import process will take care of the rest for you 😊

[arco400]

@sebjulliand while having exact the same issue as @AARPETERSON I followed this advice and imported our own (wildcard) certificate and it works great! Many thanks you both! Regards, Arco.

[sebjulliand]

@sebjulliand while having exact the same issue as @AARPETERSON I followed this advice and imported our own (wildcard) certificate and it works great! Many thanks you both! Regards, Arco.

Excellent! Thanks for letting us know; I'm glad the Import feature worked for you.

[arco400]

@sebjulliand is it possible to use DCM (Digital Certificate Manager) to create an Application Definition and assign the certificate through that mechanism? I ask because I think it would be nice that when the system admins renew the SSL certificates in DCM, they then have it all in one place to administer.

[sebjulliand]

@arco400 I don't think that's a possibility. As far as I know, the DCM don't let you define an Application Definition for any kind of service.

[AARPETERSON]

Good news. I was able to generate a CA signed certificate via Venafi. I now was able to successfully start and connect to the debug service. However - I am now having a new issue when setting a service entry breakpoint for which I will open a new bug.