chrmarti
commented
4 years ago Related to #986.
Open gowerc opened 4 years ago
chrmarti
commented
4 years ago Related to #986.
southwood
commented
3 years ago Root issue is that remoteExtensionHostAgent.js ignores proxy settings, both from settings.json and the container environment.
You can work around this by telling the file not to require strictSSL and configuring an extra CA cert for node like this in your devcontainer.json
"remoteEnv": {
"NODE_EXTRA_CA_CERTS": ".devcontainer/corp_ca.crt"
},
"postCreateCommand": "sed -i -e 's/this\\.strictSSL=/this\\.strictSSL=false\\&\\&/g' $(find ~ -name *HostAgent.js)",If anyone knows which directory remoteExtensionHostAgent.js pulls its settings.json from, a better solution would be to copy your project's settings.json into that directory as a postCreateCommand.
urscion
commented
3 years ago I was able to fix the issue of extensions not installing properly to the remote container (company uses a self-signed MITM certificate) for my container (apachepulsar tutorial) with the following:
{
"image": "apachepulsar/pulsar:2.7.0",
"forwardPorts": [6650, 8080],
"extensions": ["ms-python.python", "ms-python.vscode-pylance", "ms-vscode.cpptools"],
"mounts": [
"source=pulsardata,target=/pulsar/data",
"source=pulsarconf,target=/pulsar/conf"
],
"containerEnv": {
"http_proxy": "<proxy URL>",
"https_proxy": "<proxy URL>"
},
"postCreateCommand": "cp .devcontainer/mycert.crt /usr/local/share/ca-certificates/ && update-ca-certificates"
}Edit: Seems like in 1.54, the postCreateCommand now runs in the background and doesn't finish before extensions are loaded in the Window. Simplest setup seems to do the cp/update ca portion in a Docker layer, then add "NODE_EXTRA_CA_CERTS": "/etc/ssl/certs/ca-bundle.crt" to containerEnv (or similar path for your distro)
nop-ea
commented
3 years ago @urscion, many thanks for sharing!
Just my 2¢: If you are using docker-compose to start your dev containers (e.g. "dockerComposeFile": "../docker-compose.yml in devcontainer.json) just add it to the environment variables in docker-compose.yml:
environment:
- NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt
ThePlenkov
commented
3 years ago environment: - NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt
HI, @nop-ea i followed your advise and now I have this error during start:
30213 ms] Start: Run in container: /home/node/.vscode-server/bin/c185983a683d14c396952dd432459097bc7f757f/server.sh --force-disable-user-env --use-host-proxy --port 0 --extensions-download-dir /home/node/.vscode-server/extensionsCache --install-extension dbaeumer.vscode-eslint --install-extension sapse.vscode-cds --install-extension ms-azuretools.vscode-docker --start-server [30280 ms] Remote-Containers server: Warning: Ignoring extra certs from/etc/ssl/certs/ca-bundle.crt, load failed: error:02001002:system library:fopen:No such file or directory [30522 ms]
Did you do something else ecept just giving this variable?
Thanks!
nop-ea
commented
3 years ago @ThePlenkov, the error message indicates that VS Code could not find the certificate file. In my example I just chose some path and filename, so it might different in your case.
Here a more complete example - based on a Ubuntu image:
First, create your image that will be used in your docker-compose.yml file and add the additional certificates:
FROM ubuntu:20.04
# install common CA certicates packages (includes update-ca-certificates command)
RUN apt-get update && apt-get install -y ca-certificates
# copy your additional certificates
COPY ./mycert.crt /usr/local/share/ca-certificates/
# updates file /etc/ssl/certs/ca-certificates.crt
RUN update-ca-certificatesThe updata-ca-certificates command will update the file /etc/ssl/certs/ca-certificates.crt inside the image adding your additional certificates.
Now you can set the environment variable in your docker-compose.yml file as mentioned above:
environment:
- NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crtOther Linux distributions need different commands but the procedure is the same.
dovidweisz
commented
3 years ago @urscion Does the forwardPorts setting have anything to do with this issue?
zioalex
commented
3 years ago Related to this there is the #5620
AndrewHannigan
commented
2 years ago Seems the root issue here seems to be that the extension host agent running on the container is ignoring settings.json. Is addressing this on the roadmap at all for vscode?
oshea00
commented
2 years ago I worked around this problem by adding NODE_EXTRA_CA_CERTS=/home/mike/ca-bundle.crt to the /etc/environment file on the host I was running vscode-server (remote) on. Then disconnected and reconnected vscode to the remote host. Extensions then loaded without error.
I had to get the certificate bundle for our zScaler proxy (our CA Root cert and the signed proxy cert) and I stored that file in my home directory as ca-bundle.crt.
Interestingly, I had already appended this cert bundle to /etc/pki/tls/certs/ca-certificates.crt, but it could be that node is expecting the system certs in some other location. In any case, adding a specific file using the environment variable above seems to work.
tpyle
commented
1 year ago So for the benefit of future generations, the nature of the problem here is that node (which vscode server has a packaged binary of) uses it's own, pre-baked certificates for TLS. This means, that when vscode server runs, it uses that same truststore for TLS validation. So even if you have a container where you bake in the certificate (or a server or whatever your remote runs on), it still won't work as that isn't used by node.
The solutions above (NODE_EXTRA_CA_CERTS) tell node to use some other certs in addition to the ones baked into the binary. So, if you have the cert installed correctly (or if you point to it individually like in the some of the examples above), this will work.
Node does support the --use-openssl-ca flag, which tells it use the regular CA certs (assuming you're on linux), but I'm not sure how one would go about configuring vscode to adjust the node options.
As a side note, I also had to add NODE_EXTRA_CA_CERTS to containerEnv.
xendren
commented
7 months ago We have been using VS Code with Remote SSH extensions on servers with self-signed certs for 4 years now without any issues. Any idea why this is popping up as an error now? Is it specificity the just certain extensions? For us, it is the C# Dev Kit extension.
chrmarti
commented
7 months ago @xendren With which version did this change? We started loading system certificates on the remote host with VS Code 1.85. (For Remote-WSL and local Dev Containers we also load local certificates.)
xendren
commented
7 months ago @xendren With which version did this change? We started loading system certificates on the remote host with VS Code 1.85. (For Remote-WSL and local Dev Containers we also load local certificates.)
That is what we would like to know. Devs have been on that remote Linux server for about a year. We didn’t start receiving the cert error until they cleared their remote server cache and tried to reinstall the extensions. I cleared my cache and updated to the latest VS Code version, and received the error. It seems more like it used to work fine, but then was broken or something was changed with newer vs code version.
chrmarti
commented
7 months ago @xendren Could you check if it works with VS Code 1.84? (Download links at the top of https://code.visualstudio.com/updates/v1_84.)
Version: 1.45.0 Commit: d69a79b73808559a91206d73d7717ff5f798f23c Date: 2020-05-07T15:57:33.467Z (5 days ago) Electron: 7.2.4 Chrome: 78.0.3904.130 Node.js: 12.8.1 V8: 7.8.279.23-electron.0 OS: Darwin x64 18.7.0
I am using a very simple environment using a dockerfile behind a corporate network. I am able to install extensions locally fine without any issues however this fails when attempting to install them within the docker container
.devcontainer.json file:
Dockerfile
When the container is being built I then get the following messages
Note that the container still builds and runs fine, just that when I access it none of the extensions are installed. Though the extensions are all still listed (see screenshot below) and I can click through and manually install them all (with the exception of the python extension that still won't install)
Any advice on how to solve this would be appreciated