search

microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.67k stars 289 forks source link

Cloning to development container and extensions fail with self-signed SSL certificate #3713

Open KenxinKun opened 4 years ago

KenxinKun commented 4 years ago

I have found two issues when working with development containers that are related to self-signed SSL certificates:

1) When trying to install extensions through .devcontainer.json, this fails due to being behind a corporate firewall, that introduces self-signed certificates. Settings specified in the "non-containerised" VS Code to ignore SSL errors do not propagate down to the container created to install the extensions in the remote environment.

2) When trying to directly clone a repository into a container volume, since I am cloning from our own git servers, which also issue the same problematic self-signed certificate, the cloning fails. Note that since cloning fails, no settings can be retrieved from .devcontainer.json either, so the solution can't rely on that.

Workarounds found so far:

1) For the extensions, they manually install fine after container creation. In a separate issue it was specified that mounting additional volumes can make them persistent but it's not a fully automated solution. In my own containers I'm installing the self-signed certificate as a trusted CA too.

2) For the git cloning, I've manually modified the Dockerfile used by the extension located at C:\Users\{username}\.vscode\extensions\ms-vscode-remote.remote-containers-0.140.1\scripts\volumeBootstrap.Dockerfile and simply added an extra command at the end RUN git config --global http.sslVerify false. This allowed the cloning to work without issue.

It would be ideal if the extension would nicely propagate the settings around SSL down to the underlying.

Otherwise the extension is pretty amazing :)

josh-barker-coles commented 4 years ago

Hi @KenxinKun,

I may have found a solution to your first issue.

I needed to add the following to devcontainer.json so that the extensions would install automatically when rebuilding the container.

{
    "name": "myDevContainer",
    // ...
   "containerEnv": {
        "NODE_EXTRA_CA_CERTS": "/etc/pki/tls/certs/ca-bundle.crt"
    }
    // ...
}

The value is the file path that contains the bundle of MITM cert + the default certs.

I had tried setting NODE_EXTRA_CA_CERTS in the remoteEnv section, but that didn't help because the variable wasn't set before running the install extensions command.

phillipcaofph commented 3 years ago

I have a similar kind of issue when building volumeBootstrap.Dockerfile because I'm behind a corporate firewall

[9362 ms] Start: Run: docker build -f c:\Users\{username}\.vscode\extensions\ms-vscode-remote.remote-containers-0.166.1\scripts\volumeBootstrap.Dockerfile -t vsc-volume-bootstrap c:\Users\{username}\.vscode\extensions\ms-vscode-remote.remote-containers-0.166.1\scripts

[+] Building 9.8s (5/5) FINISHED
 => [internal] load build definition from volumeBootstrap.Dockerfile       0.1s
 => => transferring dockerfile: 168B                                       0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/library/alpine:3.13.2           6.2s
 => CACHED [1/2] FROM docker.io/library/alpine:3.13.2@sha256:a75afd8b57e7  0.0s
=> ERROR [2/2] RUN apk add --no-cache  nodejs  git  openssh-client  dock  3.3s
------
 > [2/2] RUN apk add --no-cache         nodejs  git     openssh-client  docker-c
li      docker-compose  ;:
#5 2.375 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.
tar.gz
#5 3.105 139641544629064:error:1416F086:SSL routines:tls_process_server_certific
ate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 3.108 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Per
mission denied
#5 3.108 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKI
NDEX.tar.gz
#5 3.255 139641544629064:error:1416F086:SSL routines:tls_process_server_certific
ate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 3.258 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community
: Permission denied
#5 3.258 ERROR: unable to select packages:
#5 3.261   docker-cli (no such package):
#5 3.261     required by: world[docker-cli]
#5 3.261   docker-compose (no such package):
#5 3.261     required by: world[docker-compose]
#5 3.261   git (no such package):
#5 3.261     required by: world[git]
#5 3.261   nodejs (no such package):
#5 3.261     required by: world[nodejs]
#5 3.261   openssh-client (no such package):
#5 3.261     required by: world[openssh-client]
------
executor failed running [/bin/sh -c apk add --no-cache  nodejs  git     openssh-
client  docker-cli      docker-compose  ;]: exit code: 5
FortinFred commented 3 years ago

@phillipcaofph I have the same issue.

See: https://github.com/microsoft/vscode-remote-release/issues/5052

Downgrading the VS Code plugin worked for me.

It seems related to Alpine switching to HTTPS for APK which is used by VS Code to bootstrap the volume before creating the Dev container.

jeeftor commented 2 years ago

I've run into this as well - its very annoying

NebraskaCoder commented 2 years ago

Any luck on this for his second issue?

ray-kaminski commented 2 years ago

Downgrading also worked for me.

FortinFred commented 2 years ago

Was able to upgrade the extension lately but have to modify the extension's bootstrap Dockerfile.

Modify the C:\Users\\AppData\Local\Temp\vsch\bootstrap-image\\bootstrap.Dockerfile file so that it looks like this: (Replace the zeroes with your certificate.

        FROM mcr.microsoft.com/vscode/devcontainers/base:0-alpine-3.14

        # Ajouter le block suivant
        RUN echo -e '-----BEGIN CERTIFICATE-----\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        0000000000000000000000000000000000000000000000000000000000000000\n\
        00000000000000000000000000000000000000000\n\
        -----END CERTIFICATE-----' > /etc/ssl/certs/ca-certificates.crt \
        && cp /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/ \
        && apk add ca-certificates --no-cache && update-ca-certificates

        RUN apk add --no-cache \
            nodejs \
            npm \
            make \
            g++ \
            docker-cli \
            docker-compose \
            ;

        RUN cd && npm i node-pty

        COPY .vscode-remote-containers /root/.vscode-remote-containers
OneCyrus commented 1 year ago

this limitation is really painfull for us. we would like a way to have a ready to use environment. maybe it would be an option to just download the devcontainer folder and use that instead of a bootstraping dockerfile when a devcontainer is in the repo.

FortinFred commented 1 year ago

Was able to upgrade the extension lately but have to modify the extension's bootstrap Dockerfile.

Modify the C:\Users\AppData\Local\Temp\vsch\bootstrap-image\bootstrap.Dockerfile file so that it looks like this: (Replace the zeroes with your certificate.

      FROM mcr.microsoft.com/vscode/devcontainers/base:0-alpine-3.14

      # Ajouter le block suivant
      RUN echo -e '-----BEGIN CERTIFICATE-----\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      0000000000000000000000000000000000000000000000000000000000000000\n\
      00000000000000000000000000000000000000000\n\
      -----END CERTIFICATE-----' > /etc/ssl/certs/ca-certificates.crt \
      && cp /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/ \
      && apk add ca-certificates --no-cache && update-ca-certificates

      RUN apk add --no-cache \
          nodejs \
          npm \
          make \
          g++ \
          docker-cli \
          docker-compose \
          ;

      RUN cd && npm i node-pty

      COPY .vscode-remote-containers /root/.vscode-remote-containers

This workaround no longer works with version above 2.66. It seems that the dockerfile now downgrades to an old alpine ssh package.

Does it meen I have to add the certificate elsewhere now ?

resried commented 1 year ago

For me it still works with Version 0.275.1 of the container-images. But there are several paths involved: C:\Users\\AppData\Local\Temp\vsch\bootstrap-image\0.275.1\bootstrap.Dockerfile C:\Users\.vscode\extensions\ms-vscode-remote.remote-containers-0.275.1\scripts\bootstrap.Dockerfile

sometimes the inspect-volume is also used, then you have to add it also to those...

OneCyrus commented 1 year ago

we use crip to rip the public key from the certs and add them to the store. this works great in all dockerfiles which we can commit to the repo. BUT it's a real pain with this bootstrapping container which is not part of the repo and each dev needs hack around in this files to get this working. there should just be an easy (in a repo hostable) solution which applies automatically when a dev clones a volume.

we would just need a way to auto-insert this into the bootstrap dockerfile

# Export certs with crip and add them to the certificate store
RUN wget https://github.com/Hakky54/certificate-ripper/releases/download/2.0.1/crip-linux-amd64.tar.gz --no-check-certificate -qO- | tar xvz -C /tmp/
RUN sudo /tmp/crip export pem --url=https://www.google.com --destination /usr/local/share/ca-certificates/
RUN sudo update-ca-certificates
ENV NODE_OPTIONS=--use-openssl-ca
resried commented 1 year ago

@OneCyrus Just an idea: can you maybe add this to the "base" image - mcr.microsoft.com/vscode/devcontainers/base:0-alpine-3.14 ? (Change that image and add it to your repo and have your repo answer for it?)

OneCyrus commented 1 year ago

@resried that's not really a viable option as it doesn't scale to a dev org. for an individual dev this might be a workaround but we need something which is straight forward and just works without fragile hacks.

jeeftor commented 1 year ago

I think the best option would be if there was a place/format to put the certs in your .code directory and the docker images could pick them up... perhaps an optional step in the build process to inject certs if they exist.

sschneider-ihre-pvs commented 11 months ago

just to add a dirty tr

For me it still works with Version 0.275.1 of the container-images. But there are several paths involved: C:\Users\AppData\Local\Temp\vsch\bootstrap-image\0.275.1\bootstrap.Dockerfile C:\Users.vscode\extensions\ms-vscode-remote.remote-containers-0.275.1\scripts\bootstrap.Dockerfile

sometimes the inspect-volume is also used, then you have to add it also to those...

A dirty trick could be to add RUN sed -i 's/https/http/g' /etc/apk/repositories before the apk stepp in the dockerfile

NebraskaCoder commented 11 months ago

just to add a dirty tr

For me it still works with Version 0.275.1 of the container-images. But there are several paths involved: C:\Users\AppData\Local\Temp\vsch\bootstrap-image\0.275.1\bootstrap.Dockerfile C:\Users.vscode\extensions\ms-vscode-remote.remote-containers-0.275.1\scripts\bootstrap.Dockerfile sometimes the inspect-volume is also used, then you have to add it also to those...

A dirty trick could be to add RUN sed -i 's/https/http/g' /etc/apk/repositories before the apk stepp in the dockerfile

Then the following npm command will fail.

sschneider-ihre-pvs commented 11 months ago

just to add a dirty tr

For me it still works with Version 0.275.1 of the container-images. But there are several paths involved: C:\Users\AppData\Local\Temp\vsch\bootstrap-image\0.275.1\bootstrap.Dockerfile C:\Users.vscode\extensions\ms-vscode-remote.remote-containers-0.275.1\scripts\bootstrap.Dockerfile sometimes the inspect-volume is also used, then you have to add it also to those...

A dirty trick could be to add RUN sed -i 's/https/http/g' /etc/apk/repositories before the apk stepp in the dockerfile

Then the following npm command will fail.

ok then, maybe remove it, the npm command is for installing node-gyp and the npm might work with the usual env variables but the python part will not.