System Certificates: Support trusted intermediate CAs

[AdmiralrRicha]

Type: Bug

1. Log into a company account in Windows
2. Click Account icon, choose "Sign in to sync settings"
3. In the pop-up window, choose the account you already logged in
4. It says "You are signed in now and can close this page."
5. Nothing changed, you are still not logged in.

VS Code version: Code 1.76.1 (5e805b79fcb6ba4c2d23712967df89a089da575b, 2023-03-08T16:32:00.131Z) OS version: Windows_NT x64 10.0.19044 Modes: Sandboxed: No

System Info

|Item|Value| |---|---| |CPUs|Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz (16 x 2400)| |GPU Status|2d_canvas: enabled
canvas_oop_rasterization: disabled_off
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
skia_renderer: enabled_on
video_decode: enabled
video_encode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: disabled_off| |Load (avg)|undefined| |Memory (System)|31.75GB (17.62GB free)| |Process Argv|--crash-reporter-id ccb873f8-d593-4eb5-bc2f-906204f79c83| |Screen Reader|no| |VM|0%|

Extensions (8)

Extension|Author (truncated)|Version ---|---|--- monokai-charcoal-high-contrast|74t|3.4.0 jsonviewer|cci|1.3.2 format-json|Cle|1.0.3 terraform|has|2.25.4 prettify-json|moh|0.0.3 vscode-docker|ms-|1.24.0 remote-containers|ms-|0.282.0 color-highlight|nau|2.5.0 (7 theme extensions excluded)

A/B Experiments

``` vsliv368cf:30146710 vsreu685:30147344 python383cf:30185419 vspor879:30202332 vspor708:30202333 vspor363:30204092 vslsvsres303:30308271 pythonvspyl392:30443607 vserr242cf:30382550 pythontb:30283811 vsjup518:30340749 pythonptprofiler:30281270 vshan820:30294714 vstes263:30335439 vscoreces:30445986 pythondataviewer:30285071 vscod805:30301674 binariesv615:30325510 bridge0708:30335490 bridge0723:30353136 cmake_vspar411:30581797 vsaa593cf:30376535 pythonvs932:30410667 cppdebug:30492333 vsclangdf:30486550 c4g48928:30535728 dsvsc012cf:30540253 pynewvextcfv2:30681851 azure-dev_surveyone:30548225 pyindex848:30662994 nodejswelcome1cf:30587006 3biah626:30602489 pyind779:30671433 f6dab269:30613381 vscrp:30673768 pythonsymbol12:30671437 6233i204:30672705 vsccsb:30677849 funwalk2cf:30682975 pythonms35cf:30686773 ```

[8ueye8]

I have the same issue, also on a company account. I see this error in the logs:

[TylerLeonhardt]

Do either you have a corporate proxy in effect on your machine? @AdmiralrRicha do you have the same error in the Microsoft Authentication Output?

[AdmiralrRicha]

I'm not sure, how shall I verify with the Microsoft Authentication output? I do have a corporate proxy/VPN and that comes along with the AD account. But the problem is, I was able to log in initially right after VS code got installed, but when I tried sign off, and sign in again, this issue happened.

@8ueye8 I do see the same error message pop up. ('Network failure'.)

[8ueye8]

No VPN's that I know of were active at the time. There may be a corporate proxy in the background but that shouldn't be an issue since I was able to login before on my previous laptop. The issue only started when I was issued a new laptop and tried to login and sync my settings.

[AdmiralrRicha]

No VPN's that I know of were active at the time. There may be a corporate proxy in the background but that shouldn't be an issue since I was able to login before on my previous laptop. The issue only started when I was issued a new laptop and tried to login and sync my settings.

In my case I logged in succesfully and actualy automatically when I first install VS code to my machine. It only happens when I logged out and try to log back in.

[WyjCC]

I have the same issue, also on a company account. I see this error in the logs:

I have a same issue too.In my company PC,I can sign success with Microsoft AD;Bug in my own PC,I can't sign.

[8ueye8]

I've resolved this issue by reimaging by PC with Windows 10, signing in and then upgrading to Windows 11. I know it's not the best solution but hopefully helps diagnose the issue.

When I previously encountered the issue, I had just reset the laptop from within Windows 11 and tried to sign in once the reset was done.

Maybe it's a Win10 vs Win11 issue?

[AdmiralrRicha]

I can't reimage my system as I'm running a corporate system, rebuild will lose everything. It acquired the login successfully in the initial try, but failed in the following attempts. If it succeeded once, it should have no permission issue. When it failed in the second attempt, maybe it was looking at the wrong plate? I mean for the authorization process.

[TylerLeonhardt]

Do you have any proxy-related settings set in VS Code? Do you have a system environment variable like HTTP_PROXY set?

[chrmarti]

I have the same issue, also on a company account. I see this error in the logs:

@8ueye8 "certificate has expired" suggests that you have an old certificate in the root certificates registered with your OS (or it is part of the built-in certificates in Electron). Could you try opening https://login.microsoftonline.com/ with the Edge browser (to see if it connects, this might also update the root certificate in the OS, not sure if other browsers would do that) and then retry?

[WyjCC]

HTTP_PROXY

I try it,but it`s not work...

1.I set edge to default Web browser;

2. opning https://login.microsoftonline.com/ with edge; 3.open vscode and sign with microsof AD successful on edge; 4.back to vscode and get the same error;

Maybe because I sign with win 11?My own PC is win 10，My company PC with win 11 and I can sign success.

[8ueye8]

I have the same issue, also on a company account. I see this error in the logs:

@8ueye8 "certificate has expired" suggests that you have an old certificate in the root certificates registered with your OS (or it is part of the built-in certificates in Electron). Could you try opening https://login.microsoftonline.com/ with the Edge browser (to see if it connects, this might also update the root certificate in the OS, not sure if other browsers would do that) and then retry?

As I mentioned earlier, I resolved my issue when I reimaged my device. https://login.microsoftonline.com/ worked for me on edge when I had the issue.

[TylerLeonhardt]

Some other proxy related ideas: https://github.com/microsoft/vscode/issues/160649#issuecomment-1489176027

[MH-ABE]

I have tried https://github.com/microsoft/vscode/issues/160649#issuecomment-1489176027 And checked my environment variables with nothing there. Still cannot login to GitHub, but my MS account works fine.

[TylerLeonhardt]

@MH-ABE would you mind trying out @chrmarti's proxy debugging extension: https://github.com/microsoft/vscode-remote-release/issues/8248#issuecomment-1494127068

and let me know how it goes

[MH-ABE]

Certainly @TylerLeonhardt, here is the output:

Settings: (Let me know if I need to test other settings)
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: true
- http.proxySupport: off
  - globalValue: off
- http.systemCertificates: true

Environment variables:

Sending GET request to https://containers.dev/static/devcontainer-index.json...
vscode-proxy-agent: DIRECT
Received error: unable to get local issuer certificate

Sending GET request to https://containers.dev/static/devcontainer-index.json (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response code: 200
Certificate chain:
- Subject: containers.dev
  Subject alt: DNS:containers.dev, DNS:www.containers.dev
  Validity: Mar 22 19:22:30 2023 GMT - Jun 20 19:22:29 2023 GMT
  Fingerprint: 28:F2:4F:7A:Bxxxxxxxxxxxxxxxxxxx
- Subject: gk-de-hub
  Subject alt: DNS:gk-de-hub
  Validity: Jun 25 11:52:11 2021 GMT - Nov 29 00:41:25 2025 GMT
  Fingerprint: 63:47:BF:FC:CD:xxxxxxxxxxxxxxxxxxxxxxxxxxx
  Issuer certificate not found: mhsca (<- looks like the company CA)

[chrmarti]

@MH-ABE This looks like we don't pick up your company's CA up from the OS. Which OS are you on? Could you check if and where the company's CA is registered in the OS?

[MH-ABE]

@chrmarti Im on Windows_NT x64 10.0.19044 and we use Edge. I can see the company root cert in certmgr.msc, and mhsca is an intermediate CA. Hope that answers your question, otherwise let me know where to look. Thanks

[chrmarti]

@MH-ABE Could you update the Network Proxy Test extension to the latest version (0.0.3) and run F1 > Network Proxy Test: Show OS Certificates to see if that certificate is loaded from the OS?

[MH-ABE]

@chrmarti Sure, mhrca: found mhsca: not found gk-de-hub: not found Probably best to send the full list privately?

Cant find most of these intermediate CAs in the test output:

[chrmarti]

Make sure you have the last one in the chain mhsca in the Trusted Root Certification Authorities ("Betrodda rotcertifikatutfärdare" I guess).

[MH-ABE]

I cannot move them, access denied. I don't think IT want people messing with the certs ;) Any other way I can get them to the right place?

[chrmarti]

Can you export them (context menu on the cert > All Tasks > Export...) and then import (context menu on Trusted Root Certification Authorities > All Tasks > Import...) them?

[chrmarti]

@MH-ABE Looking at it again, I would expect mhrca to also be in the Trusted Root Certification Authorities (I think the browser would otherwise complain). Could you check again?

The certificate chain you posted in https://github.com/microsoft/vscode/issues/177139#issuecomment-1495439725 suggests that the (transparent?) proxy you are are connecting through did not send the full certificate chain. Browsers seem to handle this more gracefully than Node.js. Could you check with your IT if this is true and if they could change that to be the full certificate chain?

[MH-ABE]

@chrmarti mhrca is in the TRCA folder, and it is picked up by your test plugin. Seems to be doubled up since its in the intermediate folder too.

Export worked fine, but it seems that the root folder is write protected so the import failed. I did manage this eventually, I had been using certlm.msc now I tried certmgr.msc but I also only moved the specific intermediate only certs and not all of the company ones in the intermediate folder. Don't know what solved it, but in any case I cannot overwrite existing certs but am able to add new ones to the root folder. So when trying to login to GitHub in VSCode now with the intermediate certs also in the root folder, it works!

I don't know a lot about CAs, but this intermediate cert folder seems like a standard use, right? Would it be possible for VSCode to also import this folder? Unless of course it is only my company doing it this way.

Thanks for your assistance!

TLDR; If you can't login due to CAs, move relevant intermediate certs to the root folder using certmgr.msc.

[chrmarti]

The discussion at https://security.stackexchange.com/a/72085 makes me think that it would be best for your proxy to return the complete certificate chain (the root certificate may be omitted from what I understand).

We could improve our client implementation by also using the trusted intermediate CAs from the Windows credential store, but going by https://learn.microsoft.com/en-us/answers/questions/882257/revoked-certificate-shows-as-valid-in-the-certific, we would have to use certutil to make sure revocations are applied.