Open spirilis opened 1 year ago
I'm having the exact same issue with a custom root CA and there is now way to set NODE_EXTRA_CA_CERTS
.
I created a custom feature that installs the CA in the devcontainer
, but unfortunately I cannot even get to that step due to the issue described above.
[uncaught exception in sharedProcess]:
unable to verify the first certificate:
Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1535:34)
at TLSSocket.emit (node:events:513:28)
at TLSSocket._finishInit (node:_tls_wrap:949:8)
at ssl.onhandshakedone (node:_tls_wrap:730:12)
I was able to solve it by going back to an old version of the dev containers extenstions. I havent pinpointed exactly which version did the trick but somewhere between 0.288.1 and 0.245.2 (where I confirmed the last one is working, and the first one is not).
Steps to Reproduce:
This is an oddball scenario I hope nobody else has to deal with, but I have a feeling some do...
The likely cause of this is that my local workstation has a corporate-installed security tool called "Cisco Umbrella Client" which performs Man-in-the-Middle tunneling of all outbound TLS connections so that TLS traffic may be inspected inline by a security reporting tool. As a result, all TLS connections need to validate using the Cisco Umbrella root CA, which is installed on this workstation.
Remote-SSH to linux host with docker (toybox)
Start a new Dev Container - Node.js w/ TypeScript
Click "Show Log" before the dialog box disappears
Logs show:
The VSCode node.js executor here (running local, using the devContainersSpecCLI.js running inside my Windows workstation, not on the remote host) does not seem to be honoring the local certificate store in this manner.
I do not have any specific logs to corroborate this but I'm guessing - that it's choking when reaching out to ghcr.io to read the "ghcr.io/devcontainers/templates/typescript-node:latest" manifest.
I've tried setting NODE_EXTRA_CA_CERTS to a copy of the Cisco Umbrella CA certificate but this made no difference, I still got UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
Is there any way to disable TLS certificate validation for the devContainersSpecCLI.js templates apply portion of this, or force it to use the local certificate store, or specify extra root CA's using an environment variable (like NODE_EXTRA_CA_CERTS)?