search

microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.67k stars 293 forks source link

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider #10315

Closed dull-bird closed 1 month ago

dull-bird commented 1 month ago

Version: 1.93.1 (user setup) Commit: 38c31bc77e0dd6ae88a4e9cc93428cc27a56ba40 Date: 2024-09-11T17:20:05.685Z Electron: 30.4.0 ElectronBuildId: 10073054 Chromium: 124.0.6367.243 Node.js: 20.15.1 V8: 12.4.254.20-electron.0 OS: Windows_NT x64 10.0.22631 (Windows 11)

Steps to Reproduce: run:

code tunnel
2024-09-15 12:33:06.942 [info] [2024-09-15 12:33:06] error failed to lookup tunnel: connection error: error sending request for url (https://asse.rel.tunnels.api.visualstudio.com/tunnels/fancy-chair-2b20skz?includePorts=true&tokenScopes=host&api-version=2023-09-27-preview): error trying to connect: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (os error -2146762487)

I didn't use proxy: image

Is the problem because of the configuration of the certificates? image image

I tried to install a certificate for installing .NET as in this question, but it doesn't work.

chrmarti commented 1 month ago

@dull-bird Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection for https://asse.rel.tunnels.api.visualstudio.com? (This might respond with a 404, but still get us the certificate information.)

@connor4312 How does code tunnel look up root certificates?

dull-bird commented 1 month ago

Thanks for your reply.

Here is the output of running Test Connection:

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.93.1 (38c31bc77e0dd6ae88a4e9cc93428cc27a56ba40)
Network Proxy Test 0.0.12
win32 10.0.22631 x64

Settings:
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: false
  - globalValue: false
- http.proxySupport: override
- http.systemCertificates: true

Environment variables:

Sending GET request to https://asse.rel.tunnels.api.visualstudio.com...
vscode-proxy-agent: DIRECT
Received error: unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE)
Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://asse.rel.tunnels.api.visualstudio.com (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:
- Status: 403 Forbidden
Certificate chain:
- Subject: rel.tunnels.api.visualstudio.com (Microsoft Corporation)
  Subject alt: DNS:rel.tunnels.api.visualstudio.com, DNS:*.rel.tunnels.api.visualstudio.com, DNS:*.asse.rel.tunnels.api.visualstudio.com
  Validity: Aug 25 13:20:50 2024 GMT - Aug 20 13:20:50 2025 GMT
  Fingerprint: [hidden by me]
  Issuer certificate 'FG5H1E5819903926 (Fortinet)' not in certificate chain of the server.

Last certificate not verified by OS root certificates. This might indicate an issue with the root certificates registered in your OS:
- Make sure that the root certificate for the certificate chain is registered as such in the OS. Use `F1` > `Network Proxy Test: Show OS Certificates` to see the list loaded by VS Code.
- Also make sure that your proxy and server return the complete certificate chain (except possibly for the root certificate).

Sending GET request to https://asse.rel.tunnels.api.visualstudio.com using fetch API...
Received response:
- Status: 404 

Sending GET request to https://asse.rel.tunnels.api.visualstudio.com using fetch API...
Received response:
- Status: 404

I guess Fortinet is some network device or service used in my working environment. When I tried to use my phone as the hotspot the remote tunnel can be connected. Do you have any method to avoid this checking? I have tried to disable the strict SSL setting in VS Code, but it does not work.

"http.proxyStrictSSL": false
chrmarti commented 1 month ago

I guess this Fortinet certificate might be in the intermediate CA certificates on your Windows install (going by the fetch network requests getting the expected 404). We on read the root certificates for the first check above. @connor4312 will know what code tunnel does.

It would help with other network requests if you could copy the Fortinet certificate also to the root certificates. Windows key > Manage Computer Certificates > Trusted Root Certification Authorities lists the root certificates, Intermediate Certification Authorities might list this Fortinet certificate.

vs-code-engineering[bot] commented 1 month ago

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

dmonder commented 1 month ago

I am not sure how to fix this. I have a similar problem. The Fortinet certificate is self-signed as in dull-bird's output above.

When I show certificates (using Network Proxy Test: Show OS Certificates), a personal certificate is the first one listed, but it says Not a CA. the Fortinet entry is not in this list.

How does one fix this issue?