search

marcellourbani / vscode_abap_remote_fs

Remote filesystem for ABAP systems
MIT License
170 stars 28 forks source link

Unable to verify the first certificate with version 1.7.2 #201

Closed maggiv8 closed 6 months ago

maggiv8 commented 10 months ago

Hi there,

I am connecting to my S4/2021 system via a certificate installed on operating system level (Ubuntu 22.04). A connectivity test using this certificate to connect to the SAP server works fine on operating system level by entering the following command: openssl s_client -connect abc.com:44301 -CApath /etc/ssl/certs

Part of the output is:

SSL handshake has read 1702 bytes and written 426 bytes Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated

It was all working fine until version 1.7.2. Since I upgraded to version 1.7.2 I can't commit any changes anymore to the backend as I am getting the following error message in the ABAP FS output: Exception in document symbol: unable to verify the first certificate [Error - 06:22:06] Request textDocument/formatting failed. Message: Request textDocument/formatting failed with message: unable to verify the first certificate Code: -32603

Any help would be highly appreciated as I like working with VS Code for ABAP. Thank you. Kind regards Christoph

When reverting back to version 1.7.1. everything is working fine again.

marcellourbani commented 10 months ago

Thiss will be hard to troubleshoot. I have a hunch it might depend on a package upgrade, I reverted it and will publish a new version in minutes. Please let me know if it did the trick

maggiv8 commented 10 months ago

Fantastic, thank you so much Marcello. You fixed my issue :) It works fine now with version 1.7.3

marcellourbani commented 10 months ago

Thanks for the confirmation. I will risk reintroducing this at the next update. Would you be available to test a dev build before I release it?

maggiv8 commented 10 months ago

Yes sure, just let me know when and I can test it.

On Thu, 9 Nov 2023, 21:45 Marcello Urbani, @.***> wrote:

Thanks for the confirmation. I will risk reintroducing this at the next update. Would you be available to test a dev build before I release it?

— Reply to this email directly, view it on GitHub https://github.com/marcellourbani/vscode_abap_remote_fs/issues/201#issuecomment-1803636751, or unsubscribe https://github.com/notifications/unsubscribe-auth/BAFI2BESLTSYFTBI32BID4TYDS3NZAVCNFSM6AAAAAA7DN7M3OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBTGYZTMNZVGE . You are receiving this because you modified the open/close state.Message ID: @.*** com>

marcellourbani commented 9 months ago

@maggiv8 Can you please test this 1.7.4 preview

maggiv8 commented 9 months ago

@maggiv8 Can you please test this 1.7.4 preview

Unfortunately the same error occurs again in this version (i.e. Exception in document symbol: unable to verify the first certificate). I can create a test user for you in my S4 system if you like and provide the certificate to you. This way you can test it out yourself (assuming/hoping you run VSCode on Ubuntu).

marcellourbani commented 9 months ago

@maggiv8 This would be fantastic. I don't even need an user, as I can tell a login error from a TLS validation one I run arch btw, pretty sure won't be an issue

marcellourbani commented 9 months ago

@maggiv8 are you sure you installed this? Just tried with my own server and my own CA and worked

maggiv8 commented 9 months ago

@maggiv8 are you sure you installed this? Just tried with my own server and my own CA and worked

Yes, I did. If I could get your email address please I can send you the server details, login data and the corresponding certificate.

marcellourbani commented 9 months ago

Thanks. It's marcello.urbani at gmail.com, I believe it's in my profile

catbuubuu commented 6 months ago

I'm getting the same error on version 1.7.3 and 1.7.4 preview. Any updates on this?

marcellourbani commented 6 months ago

@catbuubuu I tested this in house both with allowSelfSigned and customCA, and works fine

If you have a public url I can have a look. Don't need to access the system, this would fail even before authentication

maggiv8 commented 6 months ago

Hi there,

if you copy your certificate details into the configuration file, then it should work. The configuration file should look like this:

{ "folders": [ { "name": "sapclientxxx(ABAP)", "uri": "adt://sapclientxxx" }, { "name": "Main", "path": "." } ], "settings": { "abapfs.remote": {

        "sapclientxxx": {
            "url": "https://server:port/",
            "username": "user",
            "password": "pwd",
            "client": "xxx",
            "language": "xx",
            //"allowSelfSigned": true,
            "customCA": "-----BEGIN CERTIFICATE-----\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n AAAAAAAAAAAAAAAA\n -----END CERTIFICATE-----",
            "sapGui": {
                "server": "server:port",
                "systemNumber": "xx"
            }
        }
    }
}

}

I hope this helps. Best, C.

maggiv8 commented 6 months ago

Hi there,

I just realised, that I tested on version 1.7.3. I then upgraded to 1.7.4 and 1.7.5, and in both version the same issue occurs again. @marcellourbani : any chance you could look into this again, if possible please. Happy to provide you my server details again just like we did last time.

Thank you. Best, C.

marcellourbani commented 6 months ago

@maggiv8 yes sure Please send me the details

maggiv8 commented 6 months ago

Thank you so much. I have sent you the system and connection details via email.

marcellourbani commented 6 months ago

@maggiv8 thanks for ptoviding a test server. This works now (7.3 basically enforced allowSelfSigned for all, which was wrong)

The problem was in your configuration, who had spaces at every newline A certificate is a base64 encoded binary, newlines are ignored and spaces are not allowed @catbuubuu you might have the same issue

{
    "abapfs.remote": {
        "sapclientxxx": {
            "url": "https://server:port/",
            "username": "user",
            "password": "pwd",
            "client": "xxx",
            "language": "xx",
            //"allowSelfSigned": true,
            "customCA": "-----BEGIN CERTIFICATE-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAA\n-----END CERTIFICATE-----",
            "sapGui": {
                "server": "server:port",
                "systemNumber": "xx"
            }
        }
    }
}
maggiv8 commented 6 months ago

Thank you so much @marcellourbani . It works now again with version 1.7.5