Opening Cloud Shells fails with "Error: Error: unable to verify the first certificate"

[dozer75]

Today, when I am trying to open a Cloud Shell (both PowerShell and Bash) I can't get it to work. This worked without any issues yesterday and it is working to day when doing it outside of Visual Studio Code (using Windows Terminal), so I suspect that it may be some issues with a new year, and some root certificates that has expired for this extension that does it?

Steps to reproduce:

1. Ensure that you have a valid cloud shell on your azure account
2. Log in using the Azure: Sign in command
3. Try to open either a PowerShell or Bash Cloud Shell using the Azure: Open <shell> in Cloud Shell

Expected result: A cloud shell is opened in the terminal list

Actual result: The error below is displayed

Requesting a Cloud Shell...
Connecting terminal...
Error: Error: unable to verify the first certificate

Environment:

Operating system: Windows 11 Pro OS Build 22000.376

Visual Studio Code: 1.63.2 899d46d82c4c95423fb7e10e68eba52050e30ba3 x64

Azure Account: 0.9.11

[dozer75]

Deleted an old comment.. For some reason it did work after a short while yesterday.. And it worked today but suddenly it just stopped working with the same error. It can't be related to new year then (just a coincidence that I got this then), but something else...

[1lomeno3]

I need to report the same issue, tried with several tenants, some are working, some not, no clue what is the root cause.

[wwlorey]

Thanks for reporting @dozer75 and @1lomeno3. This is a strange issue that I have seen myself. Unfortunately we can't do much to mitigate it in the extension because it's a transient issue on the Azure backend side. Since we've seen multiple reports of this I'll escalate it to the Azure Cloud Shell team.

Also, this tends to fix itself after refreshing VS Code or after just waiting for a bit. Please let us know if you run into any more issues.

Closing as duplicate of https://github.com/microsoft/vscode-azure-account/issues/29.

[dsajanice]

@dozer75 @1lomeno3 I work on the CloudShell team and can investigate this issue. Would you be able to send me your tenant ID via email jadsa@microsoft.com. Thanks.

[dozer75]

@dsajanice You should have an email with my tenant id now.

[1lomeno3]

@dsajanice for me it suddenly started to work, both PS and bash options...

[marco-svitol]

I use it quite often and 20% of the time is giving me the same error. Restarting VS Code and even Windows doesn't help. Looks like it brokes when the previous connection is closed for inutilization. It always needs some hours to start working again.

[dsajanice]

Thank you for reporting @marco-svitol. Could you also please send me your tenant ID via email at jadsa@microsoft.com. Since this occurred more recently, the backend logs will be helpful.

[ITpro1984]

I am getting the same exact error.

My environment:

Visual Studio Windows 10

I am launching the Bash (Azure CLI) via Visual studio code. It was working most of the day.

Requesting a Cloud Shell... Connecting terminal... Error: Error: unable to verify the first certificate

[ITpro1984]

It worked approximately after 2 hrs. :-(

[dsajanice]

Thank you for reporting and following up with tenant IDs. I believe we have identified the root cause. We will test the fix and keep this thread posted on rollout timelines.

[marco-svitol]

that's nice. thanks for your effort. keeping an eye on this thread.

Il Mer 9 Feb 2022, 20:10 dsajanice @.***> ha scritto:

Thank you for reporting and following up with tenant IDs. I believe we have identified the root cause. We will test the fix and keep this thread posted on rollout timelines.

— Reply to this email directly, view it on GitHub https://github.com/microsoft/vscode-azure-account/issues/394#issuecomment-1034101906, or unsubscribe https://github.com/notifications/unsubscribe-auth/APARWEDXUDXJPECH7JP33FLU2K3ZHANCNFSM5LCMWT7Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[nicdjb]

So have I got this right, as an engineer I am meant to wait several hours and try again until this eventually works? Looks like we have to find an alternate method for managing deployments. Thanks

[SamuelSMendesS]

Once I reinstalled the Azure CLI extension the error of "unable to verify the first certificate" stopped showing up. I'm new in the business so I can't really point that as a solution. But I wanted to share here so maybe someone with more expertise could look into it.

[ashdhalama]

Thank you for reporting @marco-svitol. Could you also please send me your tenant ID via email at jadsa@microsoft.com. Since this occurred more recently, the backend logs will be helpful.

I am also getting the same error when try and open Cloud shells via vscode.

[albert-kevin]

got the same issues, reinstalled everything, strange...

[parallelo]

I'm seeing these errors too.

Signing in...
Requesting a Cloud Shell...
Connecting terminal...
Error: unable to verify the first certificate

I tried re-installing, but there was no change. I also tried other versions of the Azure Account extension, then did the required reloads; however, the same error always occurs.

[Jd33ks]

I am also stuck with this - it's been driving me mad.

[ddrummelsmith]

I keep getting this error too. I've traced it through the logs in VScode. for me the source error is related to MFA

""error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access"

however I'm unable to get VScode to prompt for the MFA request. I've uninstalled and reinstalled VS code. all authentication apps. And tried signing in via the authentication prompts with in VS code.

If anyone has any tips on how to get signed in with vscode and MFA it would be appreciated. I really can't disable MFA on my account just for this.

[dsajanice]

Apologies folks for the delay in rolling out a fix. I acknowledge that this is not a good experience. We are running behind schedule on providing a robust fix. I will commit to providing an update on a fix or a workaround by the end of April.

[cymylau]

Just here to say I have the same issue, trying to evaluate remote cloud shell but unable to do so due to same error message. Apricate any help / work arounds in the mean time.

[jasweaver]

Just found this, and glad I did. This has been driving me in circles for a week.... uninstall, reinstall, etc., etc. does nothing to fix the issue. Please let us know as soon as you have it working again.

[harryvu]

Got the exact same error. Please fix this and provide any suggestion to work around this. Thanks.

[dsajanice]

Could someone please try the following and let me know if it resolves the issue. Could you please install all the associated intermediate certificates that are listed here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/certificate-authorities#associated-intermediate-cas

The reason for this is we recently found an issue in the certificate chain that Cloud Shell was using to establish a TLS session with the client browser. We know that installing the intermediate certificate manually has worked as a mitigation for that issue. If this VS Code issue is resulting from the same root cause, then installing the intermediate certificate manually should work. This is only a workaround and not a final fix. Thank you for your patience.

[wwlorey]

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/certificate-authorities#associated-intermediate-cas

@dsajanice I installed these four certificates to the system keychain on my M1 Mac and got this error: UNABLE_TO_VERIFY_LEAF_SIGNATURE

[cymylau]

Edited Reply.

From the supplied link, I've downloaded the certs I thought I needed, exported as base64 and created a single file "certbundle.pem".

Updated settings.json file to include this cert bundle using

{
    "http.systemCertificates": true,
    "http.proxySupport": "off",
    "editor.inlineSuggest.enabled": true,
    "NODE_EXTRA_CA_CERTS": "C:/Users/richj/OneDrive/Desktop/certbundle.pem",
}

Now getting same as wwlorey - UNABLE_TO_VERIFY_LEAF_SIGNATURE.

[dsajanice]

Cloud Shell rolled out a cert related update today. We believe it should address this problem. Please retry and confirm. Thanks!

[wwlorey]

It's working for me. Thanks for the work on this, @dsajanice!

[smt1821]

It works for me as well. Thanks for that.

[Jd33ks]

Working for me now. Thank you.

Get Outlook for Androidhttps://aka.ms/AAb9ysg

---

From: dsajanice @.> Sent: Thursday, March 31, 2022 11:59:16 PM To: microsoft/vscode-azure-account @.> Cc: Jd33ks @.>; Comment @.> Subject: Re: [microsoft/vscode-azure-account] Opening Cloud Shells fails with "Error: Error: unable to verify the first certificate" (Issue #394)

Cloud Shell rolled out a cert related update today. We believe it should address this problem. Please retry and confirm. Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/vscode-azure-account/issues/394#issuecomment-1085211614, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APWWT2Z6J3KWSQVBGMCS5X3VCYU4JANCNFSM5LCMWT7Q. You are receiving this because you commented.Message ID: @.***>

[albert-kevin]

It works for me as well now too. Thank you !

[ddrummelsmith]

First couple of tests for me are working.

Thank you.

[wafzal714]

Works for me as well, thank you!

[jasweaver]

I also confirmed it is working for now; both Bash and PWSH; on MAC OSx

[cymylau]

Also working, thanks!