search

microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.67k stars 291 forks source link

Remote extension installation ignores proxy settings #986

Open Rhahkeem opened 5 years ago

Rhahkeem commented 5 years ago

We have written the needed data into your clipboard because it was too large to send. Please paste.

Issue Type: Bug

I'm behind a company proxy so I usually need to add these settings when installing something for VScode. When trying to install an extension in my container by using the .devcontainer.json file 

{
    "dockerFile": "Dockerfile",
    "extensions": [
        "ms-vscode.cpptools"
    ],
    "runArgs": [
        "--cap-add=SYS_PTRACE",
        "--security-opt",
        "seccomp=unconfined"
    ],
    "settings": {
        "http.proxyStrictSSL": false,
        "http.proxy": "http://myproxy.com:81"
    }
}

Fails to actually use these settings or my own vscode settings to install through the proxy. From what I can tell these settings only apply within the container to install anything supplementary used by the extension (ie C++ needs to install 4 extra things). Weirdly if I try to install via the UI it works with no issue. I think the codepath to install extensions within the container isn't respecting any proxy settings set in VSCode itself. From the trace it also looks like it tries to install the extension via an IP Address instead of a url which is also explicitly blocked on our end.

When adding exports to my container 

ENV http_proxy=http://myproxy.com:81 \
       https_proxy=http://myproxy.com:81

I get an error self signed certificate in certificate chain :-(

Extension version: 0.66.0 VS Code version: Code 1.36.1 (2213894ea0415ee8c85c5eea0d0ff81ecc191529, 2019-07-08T22:56:38.504Z) OS version: Darwin x64 18.6.0 Remote OS version: Linux x64 4.9.125-linuxkit

System Info |Item|Value| |---|---| |CPUs|Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (8 x 2500)| |GPU Status|2d_canvas: enabled
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
native_gpu_memory_buffers: enabled
oop_rasterization: disabled_off
protected_video_decode: unavailable_off
rasterization: enabled
skia_deferred_display_list: disabled_off
skia_renderer: disabled_off
surface_synchronization: enabled_on
video_decode: enabled
viz_display_compositor: disabled_off
webgl: enabled
webgl2: enabled| |Load (avg)|4, 3, 4| |Memory (System)|16.00GB (0.02GB free)| |Process Argv|-psn_0_2970325| |Screen Reader|no| |VM|33%| |Item|Value| |---|---| |Remote|Dev Container| |OS|Linux x64 4.9.125-linuxkit| |CPUs|Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (4 x 2492)| |Memory (System)|5.82GB (1.84GB free)| |VM|0%|
bsoudan commented 5 years ago

Having the same issue, behind a MITM SSL proxy. Extra certificates are in fact installed in the container, and if I use a shell from inside the container, I can wget/curl https:// URLs just fine.

587 is the exact problem I am seeing, but it was closed for some reason.

d-little commented 5 years ago

Similar boat, container builds successfully and then hangs on TLSSocket errors when attempting to 'Install VS Code Server'

Run: docker exec <hash1> /bin/sh -c set -o noclobber ; mkdir -p '/root/.vscode-server/data/Machine' && { > '/root/.vscode-server/data/Machine/.copyGitConfigMarker' ; } 2> /dev/null
Run: docker exec <hash1> test -e /root/.gitconfig
Run: docker cp C:\Users\user\.gitconfig <hash1>:/root/.gitconfig --follow-link
Run: docker exec -w /root -u root <hash1> chown root:0 /root/.gitconfig
Run: docker exec <hash1> test -d /root/.vscode-server/bin/2213894ea0415ee8c85c5eea0d0ff81ecc191529
Installing VS Code Server for commit 2213894ea0415ee8c85c5eea0d0ff81ecc191529
Run: docker exec <hash1> mkdir -p /root/.vscode-server/bin/2213894ea0415ee8c85c5eea0d0ff81ecc191529_1563393277475
Error: unable to get local issuer certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1049:34)
        at TLSSocket.emit (events.js:182:13)
        at TLSSocket._finishInit (_tls_wrap.js:631:8)
jabbera commented 5 years ago

This isn't happening from in the container. VSCode is trying to download this file to your host, then copy it to the container. Setting: NODE_TLS_REJECT_UNAUTHORIZED=0 sorts it, but is horribly insecure.

Rhahkeem commented 5 years ago

This isn't happening from in the container.

Probably not. But the fact I can't install using the .devcontainer.json but can do it via the UI shows there's definitely 2 different code paths being taken.

Without setting the proxies in the container I just get

connect ECONNREFUSED 13.107.42.18:443

Rhahkeem commented 5 years ago

Was able to also reproduce this error when running on Windows.

midacts commented 5 years ago

I'm getting this error as well.

Extension version: 0.66.0 VS Code version: Code 1.36.1

sandy081 commented 5 years ago

Weirdly if I try to install via the UI it works with no issue.

Looks like the container spinning up is not updating the settings before installing extensions.

jabbera commented 5 years ago

The issue is vscode does not respect the windows certificate store, it uses the node built in one and it doesn't support NODE_EXTRA_CA_CERTS:

https://github.com/electron/electron/issues/10257#issuecomment-346310333

If you set: NODE_TLS_REJECT_UNAUTHORIZED=0 it will download, but now I've just invalidated all of node TLS security./

Rhahkeem commented 5 years ago

Yupp @jabbera. Found that to be the case as well. On MacOS I just had to set the ENV NODE_EXTRA_CA_CERTS=/path/to/certs in my Dockerfile. On Windows I had to set NODE_TLS_REJECT_UNAUTHORIZED to 0. 👎

EricHripko commented 5 years ago

Just to clarify: On Windows you need both NODE_EXTRA_CA_CERTS inside the container and NODE_TLS_REJECT_UNAUTHORIZED natively on Windows in order for Remote Container to boot up and install extensions successfully.

midacts commented 5 years ago

I might have done something wrong but I tried your steps with no avail.

On my Windows laptop i set this env variable as a system env variable NODE_TLS_REJECT_UNAUTHORIZED = 0

PowerShell example: [Environment]::SetEnvironmentVariable("NODE_TLS_REJECT_UNAUTHORIZED", "0", "Machine")

On the ubuntu container: apt-get update && apt-get install ca-certificates export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

sharpninja commented 5 years ago

I can confirm that export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificats.crt in my .bashrc file works to fix this problem.

chrmarti commented 5 years ago

@sandy081 The main issue here is that the CLI used to install the extensions listed in the devcontainer.json does not support proxies and custom certificates the same way we do for extensions or the UI. We could look into reusing the implementation we have for the extension host.

@Rhahkeem Which cases start working by setting NODE_EXTRA_CA_CERTS / NODE_TLS_REJECT_UNAUTHORIZED? The UI?

jabbera commented 5 years ago

We have a MITM firewall, not a proxy, and everything works fine if I set NODE_TLS_REJECT_UNAUTHORIZED=0 on my host and copy my certs to the container and set: NODE_EXTRA_CA_CERTS in the container and run update-ca-certificates. (Windows 10 host, Debian Linux image).

I’d be happy if the NODE_EXTRA_CA_CERTS worked on the host instead of having to straight up disable TLS auth.

chrmarti commented 5 years ago

Loading certificates from the OS was broken on Windows (https://github.com/microsoft/vscode/issues/79044). That is fixed in the latest Insiders build.

What remains is the missing support for loading certificates from the OS in the CLI that installs the extensions listed in the devcontainer.json.

midacts commented 5 years ago

I am no longer getting the certificate error i had been getting once I upgraded to vscode 1.37.1

jlynchMicron commented 4 years ago

Hello @chrmarti , is this still being worked on by chance? I get issues installing various aspects of extensions on my remote machine behind a proxy such as:

Could not retrieve data from Experimentation service: Error: read ECONNRESET Acquiring model 'intellisense-members' for python Querying IntelliCode service for available models. Couldn't reach service Error Message: unable to get local issuer certificate, (Error) Could not reach the IntelliCode service. Checking the local model cache. None of the cached models match. Couldn't download IntelliCode model. Please check your network connectivity or firewall settings. Error Message: unable to get local issuer certificate, (Error) No model available for Python, cannot continue.

I have tried just about everything to get this working but with no luck. I have set .wgetrc with the proxy information, I have included my proxy information in my .bashrc file, I have included my proxy information in vscode and turned off Proxy Strict SSL on both my client machine and host machine. Do you know if work on this issue ticket will resolve these sort of issues? If not, any advise? Thanks!

Client machine: Windows 10 Host machine (RemoteSSH): CentOS 7

chrmarti commented 4 years ago

@jlynchMicron It's on our shortlist. Unfortunately other tasks are taking precedence at the moment.

jasonwilliams commented 4 years ago

@chrmarti has there been any change in the priority of this issue?

calcazar commented 3 years ago

I'm getting the following:

Extension host agent listening on 41867

[01:40:44] Extension host agent started.
Installing extensions...
[01:40:44] Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:223:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'

when running the below in a docker container. The below is what VS code is automatically when starting up the development container

/root/.vscode-server/bin/ea3859d4ba2f3e577a159bc91e3074c5d85c0523/server.sh --force-disable-user-env --use-host-proxy --port 0 --extensions-download-dir /root/.vscode-server/extensionsCache --install-extension esbenp.prettier-vscode --start-server
agucova commented 3 years ago

I'm getting the exact same error under a normal connection (no proxy, no anything). I tried setting NODE_TLS_REJECT_UNAUTHORIZED in the host, setting up NODE_EXTRA_CA_CERTS on the Ubuntu container and updating the CA certificates with no avail.

Downloading VS Code Server
Error: unable to get local issuer certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
        at TLSSocket.emit (events.js:223:5)
        at TLSSocket._finishInit (_tls_wrap.js:794:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)

Remote Containers v0.154.1 and VSCode 1.52.1 under Ubuntu Desktop 20.10.

abid-mujtaba commented 3 years ago

Seeing the same in VS Code 1.55.0 behind a corporate proxy:

Error: connect ECONNREFUSED 13.107.42.18:443
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '13.107.42.18',
  port: 443
}

Works via the UI.

chrmarti commented 3 years ago

@abid-mujtaba That is a different issue. Please check if VS Code 1.55.1 fixes it and file a new issue if it doesn't: https://github.com/microsoft/vscode/issues

abid-mujtaba commented 3 years ago

Thanks @chrmarti. Can confirm that updating to 1.55.1 fixed my issue.

lavaude commented 3 years ago

Not sure if this is related, the message received on our side is a tiny bit different:

Start: Downloading VS code server
Error: certificate signature failure
    at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
    ...

Same error whether we connect to WSL2 or a running docker container. We are behind corporate proxy with authentication, as well as our own extra certificates.

chrmarti commented 3 years ago

@lavaude Could you open a new issue? This looks like a different problem. Thanks.

lucaspeixotot commented 3 years ago

I'm getting the exact same error under a normal connection (no proxy, no anything). I tried setting NODE_TLS_REJECT_UNAUTHORIZED in the host, setting up NODE_EXTRA_CA_CERTS on the Ubuntu container and updating the CA certificates with no avail.

Downloading VS Code Server
Error: unable to get local issuer certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
        at TLSSocket.emit (events.js:223:5)
        at TLSSocket._finishInit (_tls_wrap.js:794:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)

Remote Containers v0.154.1 and VSCode 1.52.1 under Ubuntu Desktop 20.10.

The same error here, someone knows how to fix it? I tried setting the env variables but it didn't work. My error is when I'm using remote-ssh to a remote development, from windows to Linux. My corporation uses the ZScaler.

EricHripko commented 3 years ago

My issue got about Remote - SSH (https://github.com/microsoft/vscode-remote-release/issues/5727) got merged into this one. I can see that folks here have found workarounds for container workflows, does anyone have any suggestions for Remote - SSH ones?

EricHripko commented 3 years ago

In terms of Remote - SSH workflow, something must've changed in 1.62.0 version of VS Code. It now appears to correctly follow http.proxy* settings in Remote Settings.

Austindgk232 commented 1 year ago

7972 #7958

rijulg commented 1 year ago

What finally resolved the issue for me was setting Http: Proxy Support http.proxySupport to on image