DevContainer: Error while installing extensions: self-signed certificate in certificate chain

[OneCyrus]

• VSCode Version: 1.89.1
• Local OS Version: Windows 10
• Remote OS Version: Ubuntu 22.04
• Remote Extension/Connection Type: Container

• Logs:

  2024-06-04 06:58:52.957 [info] Installing extensions...
  2024-06-04 06:58:52.957 [info] Extension host agent started.
  2024-06-04 06:58:52.993 [info] Started initializing default profile extensions in extensions installation folder. file:///home/vscode/.vscode-server/extensions
  2024-06-04 06:58:53.092 [debug] ComputeTargetPlatform: linux-x64
  2024-06-04 06:58:53.106 [info] Completed initializing default profile extensions in extensions installation folder. file:///home/vscode/.vscode-server/extensions
  2024-06-04 06:58:53.138 [debug] ComputeTargetPlatform: linux-x64
  2024-06-04 06:58:53.200 [error] Error while installing extensions: self-signed certificate in certificate chain
  2024-06-04 06:58:53.203 [error] Failed: self-signed certificate in certificate chain
  at N.B (/vscode/vscode-server/bin/linux-x64/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/out/vs/server/node/server.main.js:173:107527)
  at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
  at async N.z (/vscode/vscode-server/bin/linux-x64/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/out/vs/server/node/server.main.js:173:104368)
  at async N.getExtensions (/vscode/vscode-server/bin/linux-x64/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/out/vs/server/node/server.main.js:173:101118)
  at async u.j (/vscode/vscode-server/bin/linux-x64/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/out/vs/server/node/server.main.js:146:1372)
  at async u.g (/vscode/vscode-server/bin/linux-x64/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/out/vs/server/node/server.main.js:145:10100)
  at async u.installExtensions (/vscode/vscode-server/bin/linux-x64/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/out/vs/server/node/server.main.js:145:8716)
  2024-06-04 06:58:53.211 [debug] No uninstalled extensions found.
  2024-06-04 06:58:53.274 [info] [127.0.0.1][37559c60][ManagementConnection] New connection established.
  2024-06-04 06:58:53.339 [info] Log level changed to info
  2024-06-04 06:58:54.165 [info] [127.0.0.1][fac701d0][ExtensionHostConnection] New connection established.
  2024-06-04 06:58:54.185 [info] [127.0.0.1][fac701d0][ExtensionHostConnection] <627> Launched Extension Host Process.

Steps to Reproduce:

1. Use a devcontainer behind TLS inspection and have extension in the devcontainer.json defined
2. in the devcontainer dockerfile we are adding the certificates to the store and run

RUN sudo update-ca-certificates
ENV NODE_OPTIONS=--use-openssl-ca
ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV NPM_CONFIG_CAFILE=/etc/ssl/certs/ca-certificates.crt 
ENV NODE_TLS_REJECT_UNAUTHORIZED=0

node.js itself has no problem in the devcontainer. so it looks like the extension host doesn't respect those certificates.

Does this issue occur when you try this locally?: N/A Does this issue occur when you try this locally and all extensions are disabled?: N/A

[OneCyrus]

also tested with the chrmarti.network-proxy-test extension

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.89.1 (dc96b837cf6bb4af9cd736aa3af08cf8279f7685)
Network Proxy Test 0.0.11
linux 5.15.146.1-microsoft-standard-WSL2 x64

Settings:
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: true
- http.proxySupport: override
- http.systemCertificates: true

Environment variables:

Sending GET request to https://example.com...
vscode-proxy-agent: DIRECT
Received response:
- Status: 200 OK
Certificate chain:
- Subject: undefined
  Validity: undefined - undefined
  Fingerprint: undefined
Received error: Cannot read properties of undefined (reading 'CN')
Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://example.com (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:
- Status: 200 OK
Certificate chain:
- Subject: www.example.org (Internet Corporation for Assigned Names and Numbers)
  Subject alt: DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
  Validity: Jan 30 00:00:00 2024 GMT - Mar  1 23:59:59 2025 GMT
  Fingerprint: 2F:******
- Subject: MY TLS Proxy
  Validity: Jan 15 15:31:29 2021 GMT - Jan 15 15:41:29 2031 GMT
  Fingerprint: 32:******
- Subject: MY-CA02
  Validity: Oct 11 06:15:13 2018 GMT - Oct 11 06:25:11 2038 GMT
  Fingerprint: B3:*****
  Self-signed
Local root certificates:
- Subject: CN=Root-CA02 (OS)
  Validity: Oct 11 06:15:13 2018 GMT - Oct 11 06:25:11 2038 GMT
  Fingerprint: B3:****
  Issuer: CN=MY-CA02

[chrmarti]

Have you tried setting NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt?

[VSCodeTriageBot]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!