Open gowerc opened 4 years ago
Related to #986.
Root issue is that remoteExtensionHostAgent.js
ignores proxy settings, both from settings.json
and the container environment.
You can work around this by telling the file not to require strictSSL and configuring an extra CA cert for node like this in your devcontainer.json
"remoteEnv": {
"NODE_EXTRA_CA_CERTS": ".devcontainer/corp_ca.crt"
},
"postCreateCommand": "sed -i -e 's/this\\.strictSSL=/this\\.strictSSL=false\\&\\&/g' $(find ~ -name *HostAgent.js)",
If anyone knows which directory remoteExtensionHostAgent.js
pulls its settings.json
from, a better solution would be to copy your project's settings.json
into that directory as a postCreateCommand
.
I was able to fix the issue of extensions not installing properly to the remote container (company uses a self-signed MITM certificate) for my container (apachepulsar tutorial) with the following:
{
"image": "apachepulsar/pulsar:2.7.0",
"forwardPorts": [6650, 8080],
"extensions": ["ms-python.python", "ms-python.vscode-pylance", "ms-vscode.cpptools"],
"mounts": [
"source=pulsardata,target=/pulsar/data",
"source=pulsarconf,target=/pulsar/conf"
],
"containerEnv": {
"http_proxy": "<proxy URL>",
"https_proxy": "<proxy URL>"
},
"postCreateCommand": "cp .devcontainer/mycert.crt /usr/local/share/ca-certificates/ && update-ca-certificates"
}
Edit: Seems like in 1.54, the postCreateCommand now runs in the background and doesn't finish before extensions are loaded in the Window. Simplest setup seems to do the cp/update ca portion in a Docker layer, then add "NODE_EXTRA_CA_CERTS": "/etc/ssl/certs/ca-bundle.crt"
to containerEnv
(or similar path for your distro)
@urscion, many thanks for sharing!
Just my 2¢: If you are using docker-compose to start your dev containers (e.g. "dockerComposeFile": "../docker-compose.yml
in devcontainer.json
) just add it to the environment variables in docker-compose.yml
:
environment:
- NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt
environment: - NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt
HI, @nop-ea i followed your advise and now I have this error during start:
30213 ms] Start: Run in container: /home/node/.vscode-server/bin/c185983a683d14c396952dd432459097bc7f757f/server.sh --force-disable-user-env --use-host-proxy --port 0 --extensions-download-dir /home/node/.vscode-server/extensionsCache --install-extension dbaeumer.vscode-eslint --install-extension sapse.vscode-cds --install-extension ms-azuretools.vscode-docker --start-server [30280 ms] Remote-Containers server: Warning: Ignoring extra certs from
/etc/ssl/certs/ca-bundle.crt, load failed: error:02001002:system library:fopen:No such file or directory [30522 ms]
Did you do something else ecept just giving this variable?
Thanks!
@ThePlenkov, the error message indicates that VS Code could not find the certificate file. In my example I just chose some path and filename, so it might different in your case.
Here a more complete example - based on a Ubuntu image:
First, create your image that will be used in your docker-compose.yml
file and add the additional certificates:
FROM ubuntu:20.04
# install common CA certicates packages (includes update-ca-certificates command)
RUN apt-get update && apt-get install -y ca-certificates
# copy your additional certificates
COPY ./mycert.crt /usr/local/share/ca-certificates/
# updates file /etc/ssl/certs/ca-certificates.crt
RUN update-ca-certificates
The updata-ca-certificates
command will update the file /etc/ssl/certs/ca-certificates.crt
inside the image adding your additional certificates.
Now you can set the environment variable in your docker-compose.yml
file as mentioned above:
environment:
- NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
Other Linux distributions need different commands but the procedure is the same.
@urscion Does the forwardPorts
setting have anything to do with this issue?
Related to this there is the #5620
Seems the root issue here seems to be that the extension host agent running on the container is ignoring settings.json
. Is addressing this on the roadmap at all for vscode?
I worked around this problem by adding NODE_EXTRA_CA_CERTS=/home/mike/ca-bundle.crt to the /etc/environment file on the host I was running vscode-server (remote) on. Then disconnected and reconnected vscode to the remote host. Extensions then loaded without error.
I had to get the certificate bundle for our zScaler proxy (our CA Root cert and the signed proxy cert) and I stored that file in my home directory as ca-bundle.crt.
Interestingly, I had already appended this cert bundle to /etc/pki/tls/certs/ca-certificates.crt, but it could be that node is expecting the system certs in some other location. In any case, adding a specific file using the environment variable above seems to work.
So for the benefit of future generations, the nature of the problem here is that node (which vscode server has a packaged binary of) uses it's own, pre-baked certificates for TLS. This means, that when vscode server runs, it uses that same truststore for TLS validation. So even if you have a container where you bake in the certificate (or a server or whatever your remote runs on), it still won't work as that isn't used by node.
The solutions above (NODE_EXTRA_CA_CERTS
) tell node to use some other certs in addition to the ones baked into the binary. So, if you have the cert installed correctly (or if you point to it individually like in the some of the examples above), this will work.
Node does support the --use-openssl-ca
flag, which tells it use the regular CA certs (assuming you're on linux), but I'm not sure how one would go about configuring vscode to adjust the node options.
As a side note, I also had to add NODE_EXTRA_CA_CERTS
to containerEnv
.
We have been using VS Code with Remote SSH extensions on servers with self-signed certs for 4 years now without any issues. Any idea why this is popping up as an error now? Is it specificity the just certain extensions? For us, it is the C# Dev Kit extension.
@xendren With which version did this change? We started loading system certificates on the remote host with VS Code 1.85. (For Remote-WSL and local Dev Containers we also load local certificates.)
@xendren With which version did this change? We started loading system certificates on the remote host with VS Code 1.85. (For Remote-WSL and local Dev Containers we also load local certificates.)
That is what we would like to know. Devs have been on that remote Linux server for about a year. We didn’t start receiving the cert error until they cleared their remote server cache and tried to reinstall the extensions. I cleared my cache and updated to the latest VS Code version, and received the error. It seems more like it used to work fine, but then was broken or something was changed with newer vs code version.
@xendren Could you check if it works with VS Code 1.84? (Download links at the top of https://code.visualstudio.com/updates/v1_84.)
Version: 1.45.0 Commit: d69a79b73808559a91206d73d7717ff5f798f23c Date: 2020-05-07T15:57:33.467Z (5 days ago) Electron: 7.2.4 Chrome: 78.0.3904.130 Node.js: 12.8.1 V8: 7.8.279.23-electron.0 OS: Darwin x64 18.7.0
I am using a very simple environment using a dockerfile behind a corporate network. I am able to install extensions locally fine without any issues however this fails when attempting to install them within the docker container
.devcontainer.json file:
Dockerfile
When the container is being built I then get the following messages
Note that the container still builds and runs fine, just that when I access it none of the extensions are installed. Though the extensions are all still listed (see screenshot below) and I can click through and manually install them all (with the exception of the python extension that still won't install)
Any advice on how to solve this would be appreciated