search

microsoft / vscode

Visual Studio Code
https://code.visualstudio.com
MIT License
160.27k stars 28.09k forks source link

Sign-in with GitHub, etc - CERT_SIGNATURE_FAILURE error with transparent SSL proxy #207636

Closed Nu11u5 closed 3 weeks ago

Nu11u5 commented 3 months ago

Version: 1.87.2 (system setup) Commit: 863d2581ecda6849923a2118d93a088b0745d9d6 Date: 2024-03-08T15:20:17.278Z Electron: 27.3.2 ElectronBuildId: 26836302 Chromium: 118.0.5993.159 Node.js: 18.17.1 V8: 11.8.172.18-electron.0 OS: Windows_NT x64 10.0.22631

Our workstations use the Zscaler App to provide a transparent SSL proxy on the system. The Zscaler SSL inspection CA certificate is trusted in the Windows root CA store and works in other applications.

In VS Code, I am unable to sign-in to GitHub for sync and other features, and get the CERT_SIGNATURE_FAILURE error.

2024-03-13 15:39:51.715 [info] Reading sessions from keychain...
2024-03-13 15:39:51.715 [info] Getting sessions for all scopes...
2024-03-13 15:39:51.715 [info] Getting sessions for all scopes...
2024-03-13 15:39:51.716 [info] Got 0 sessions for ...
2024-03-13 15:39:51.716 [info] Got 0 sessions for ...
2024-03-13 15:39:51.716 [info] Getting sessions for all scopes...
2024-03-13 15:39:51.716 [info] Got 0 sessions for ...
2024-03-13 15:39:51.717 [info] Getting sessions for user:email...
2024-03-13 15:39:51.717 [info] Got 0 sessions for user:email...
2024-03-13 15:39:51.718 [info] Getting sessions for all scopes...
2024-03-13 15:39:51.718 [info] Got 0 sessions for ...
2024-03-13 15:39:53.325 [info] Logging in for the following scopes: user:email
2024-03-13 15:39:53.330 [info] Trying without local server... (user:email)
2024-03-13 15:39:55.228 [info] Exchanging code for token...
2024-03-13 15:39:55.537 [error] request to https://github.com/login/oauth/access_token failed, reason: certificate signature failure
2024-03-13 15:39:56.954 [info] Trying with local server... (user:email)
2024-03-13 15:40:05.586 [info] Exchanging code for token...
2024-03-13 15:40:05.679 [error] request to https://github.com/login/oauth/access_token failed, reason: certificate signature failure
2024-03-13 15:40:08.061 [info] Trying device code flow... (user:email)
2024-03-13 15:40:08.179 [error] request to https://github.com/login/device/code?client_id=01ab8ac9400c4e429b23&scope=user:email failed, reason: certificate signature failure
2024-03-13 15:40:08.181 [error] Error: No auth flow succeeded.
    at a.GitHubServer.login (c:\Program Files\Microsoft VS Code\resources\app\extensions\github-authentication\dist\extension.js:2:262306)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async a.GitHubAuthenticationProvider.createSession (c:\Program Files\Microsoft VS Code\resources\app\extensions\github-authentication\dist\extension.js:2:258135)

If I run the Network Proxy Test extension, it shows that http.proxyStrictSSL=false, http.proxy is unset, and http.systemCertificates=true. Also, the Zscaler proxy certificate fingerprint matches the CA certificate imported from the system.

VS Code 1.87.2 (863d2581ecda6849923a2118d93a088b0745d9d6)
Network Proxy Test 0.0.11
win32 10.0.22631 x64

Settings:
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: false
  - globalValue: false
- http.proxySupport: override
- http.systemCertificates: true

Environment variables:

Sending GET request to https://example.com...
vscode-proxy-agent: DIRECT
Received error: certificate signature failure (CERT_SIGNATURE_FAILURE)
Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://example.com (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:
- Status: 200 OK
Certificate chain:
- Subject: www.example.org (Internet Corporation for Assigned Names and Numbers)
  Subject alt: DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
  Validity: Mar  9 03:03:51 2024 GMT - Mar 23 03:03:51 2024 GMT
  Fingerprint: E9:49:D4:91:B6:1F:D5:B0:2E:2C:2E:8D:1C:27:20:26:EE:8B:3C:0E
- Subject: Zscaler Intermediate Root CA (zscaler.net) (t)  (Zscaler Inc.)
  Validity: Mar  9 03:03:51 2024 GMT - Mar 23 03:03:51 2024 GMT
  Fingerprint: EA:91:D1:AB:10:A1:19:76:D5:6A:C7:21:C7:3F:0C:6F:AF:23:24:7D
- Subject: Zscaler Intermediate Root CA (zscaler.net) (Zscaler Inc.)
  Validity: Jun  5 05:33:02 2020 GMT - Jun 23 05:33:02 2041 GMT
  Fingerprint: 57:2E:E0:DF:6A:FF:9A:0A:B8:DB:5F:C1:77:DB:E3:11:CE:9B:D2:48
- Subject: Zscaler Root CA (Zscaler Inc.)
  Validity: Jun 24 15:44:19 2013 GMT - Nov  9 15:44:19 2040 GMT
  Fingerprint: 9F:B5:0B:46:C7:31:28:6B:17:96:F0:AA:6C:2C:AE:82:69:C8:CC:D2          <---- Matches
  Self-signed
Local root certificates:
- Subject: C=US ST=California L=San Jose O=Zscaler Inc. OU=Zscaler Inc. CN=Zscaler Root CA emailAddress=support@zscaler.com (OS)
  Validity: Jun 24 15:44:19 2013 GMT - Nov  9 15:44:19 2040 GMT
  Fingerprint: 9F:B5:0B:46:C7:31:28:6B:17:96:F0:AA:6C:2C:AE:82:69:C8:CC:D2          <---- Matches
  Issuer: C=US ST=California L=San Jose O=Zscaler Inc. OU=Zscaler Inc. CN=Zscaler Root CA emailAddress=support@zscaler.com

I've also set the NODE_EXTRA_CA_CERTS environment variable to point to a PEM certificate bundle that contains the Zscaler CA certificate. This fixed the error with NPM but has had no effect on VSCode.

chrmarti commented 3 months ago

This might be an issue with the certificate or how NodeJS verifies it. Could you try https://stackoverflow.com/a/56082782 and post the output here?

Nu11u5 commented 3 months ago

This might be an issue with the certificate or how NodeJS verifies it. Could you try https://stackoverflow.com/a/56082782 and post the output here?

Here is the result of the openssl s_client -showcerts command using the FireDaemon Windows build of OpenSSL v3.2.1. The certs show the same as what is output by the Network Proxy Test extension, except that it is verifying the certificate successfully.

>openssl s_client -connect github.com:443 -state -nbio -CAfile CAs.pem -showcerts
Connecting to 140.82.121.3
CONNECTED(000001EC)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
read R BLOCK
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
depth=3 C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
verify return:1
depth=2 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net), emailAddress=support@zscaler.com
verify return:1
depth=1 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net) (t)
verify return:1
depth=0 CN=github.com
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write finished
read R BLOCK
---
Certificate chain
 0 s:CN=github.com
   i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net) (t)
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  9 03:03:51 2024 GMT; NotAfter: Mar 23 03:03:51 2024 GMT
-----BEGIN CERTIFICATE-----
MIID1jCCAr6gAwIBAgIQZfuqfrZsGjuULNLEDrdCpTANBgkqhkiG9w0BAQsFADCB
ijELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMTgwNgYDVQQDDC9ac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVyLm5ldCkgKHQpIDAeFw0y
NDAzMDkwMzAzNTFaFw0yNDAzMjMwMzAzNTFaMBUxEzARBgNVBAMTCmdpdGh1Yi5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7UWXLl9vSfL5VK5fw
pcQUdUEOwELKDdk82TKbOZjwxx76oRyJ8AL4jNF8Hur49ZtIoLC0e2kdQTHFNAfg
/8/p9TJDS8GyUGqk/dklswBPlh0EKnGWqj4VOdWrTJIVC8EhPVzFWPYcGtXIfyVs
m5Wllq5vEtaIaP8oFjZNmeljvEpAe2XHoy0cUqFGm6aNgF3ayXdJmnkzoBJBqSY6
RVBv2lwAnTLuIjoUQqDzRoGiF9SCqD9ayLVE/QsqrUbDb9wNRVNgbba6atMFxzkD
VkngK+vg0BKYzC5lFT/QDFZUyDbIW+jgppuUfHDJqt16Mlt9ofNh/C239KY0Y8Kp
26oRAgMBAAGjgaswgagwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwJQYDVR0RBB4wHIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5j
b20wDgYDVR0PAQH/BAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9nYXRl
d2F5LnpzY2FsZXIubmV0L3pzY2FsZXItenNjcmwtLTQtMS5jcmwwDQYJKoZIhvcN
AQELBQADggEBAKgwul7k2PmOsYs/d2CI+rDWdn3Xx6utHvUtBUcBuxeIQihX04Gw
SDhCo7vkzYZCqDS0tRb5yvz2ImMeOpvA5D1XCyJi1aJtPdbo5wzm4JOr7uIT9/Ci
0/Le94bjfB//JS175a4ZUNGcUyavYLVZaC7b8j58xldIddWVp5+MmOSD0SV7pFOq
uS5zY834uqpnQC9ff3v3Qef2sc0cTzMyjGdzEmLRLT/tsJwgWNRptbAX0AvhwDBT
6xU9Eso3z1gG37Un/OnXQi6rEvvd7cidCYUjTjzijMnYBn9cmDTvODWw+4XMZJU0
p0G38TRS+Rh1sANB/81maR4Dd44V7uAg7s8=
-----END CERTIFICATE-----
 1 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net) (t)
   i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net), emailAddress=support@zscaler.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  9 03:03:51 2024 GMT; NotAfter: Mar 23 03:03:51 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEOTCCAyGgAwIBAgIEZevRlzANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEV
MBMGA1UECxMMWnNjYWxlciBJbmMuMTMwMQYDVQQDEypac2NhbGVyIEludGVybWVk
aWF0ZSBSb290IENBICh6c2NhbGVyLm5ldCkxIjAgBgkqhkiG9w0BCQEWE3N1cHBv
cnRAenNjYWxlci5jb20wHhcNMjQwMzA5MDMwMzUxWhcNMjQwMzIzMDMwMzUxWjCB
ijELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMTgwNgYDVQQDDC9ac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVyLm5ldCkgKHQpIDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFigeZBB3XmSnx1YYNDhn6quLTv
RcOzR1LYpEtaxOuca35CNBTFG43zHTy7TUk20SuRkI78ZNXxZZ150LSTkPcDuYq+
PrCdkYyjRCsmkK45xgTY0KP9O/uD22uPF3is+yPsM128uNrkEwRxjRyh2YcPg2uW
84VrX8IFwmDA/cfcdztHY8Yg76an1wwthlysP+JcGerSg3lp+RKIACmUSGfuK+mq
wwdy1oDrVAB2YjSFe/v5SOauFag+IjGaepjdgvqjTWlRQ5ruTEolLpGh1Zf7fTfg
tU0S3yAxTNrj1eUm1JHs+PH7VwjwgMwo1Hnz8eDEEhawFtOGdivVb3xzdn0CAwEA
AaOBhTCBgjAdBgNVHQ4EFgQU2Lxc4nNgigjIxLPGnVF2zu0QFAswDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDov
L2dhdGV3YXkuenNjYWxlci5uZXQvY3JsL3pzbi1rZWstLTQtMS5jcmwwDQYJKoZI
hvcNAQELBQADggEBAI1yn0aLJQcwpfX1Ot99sQdgaVsfO8ksQoPy4e43Mbd49MI+
q/nsYNST/7LsfUqhFPNBxPy32fU/OeifWLEmMC1fzOalvM7RrYqyb4AsD908ttNh
266r75h6z6/s6wDa+6S9G0EF0AhVeZ57ejxa7sisnZpSa+Xi/a9OG0kKlEMpqZjA
sMcsCRr2BQfQwpe2v1x83Sc9jQy8+j1ZKUT77MeNlbrF3LnveBsA5ziOMid/BAxl
3mGhj+vp5nDzDzJln5xfGPc6JfPxhsa0DynoAm2cytcUeipeY9IhuyMb2umKrGCu
kzwh5tKNFgbyXnXhY/sHb+SJddv+8+AUbtzniAA=
-----END CERTIFICATE-----
 2 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net), emailAddress=support@zscaler.com
   i:C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  5 05:33:02 2020 GMT; NotAfter: Jun 23 05:33:02 2041 GMT
-----BEGIN CERTIFICATE-----
MIIEQTCCAymgAwIBAgICAQIwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEVMBMGA1UE
ChMMWnNjYWxlciBJbmMuMRUwEwYDVQQLEwxac2NhbGVyIEluYy4xGDAWBgNVBAMT
D1pzY2FsZXIgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEB6c2NhbGVy
LmNvbTAeFw0yMDA2MDUwNTMzMDJaFw00MTA2MjMwNTMzMDJaMIGpMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEChMMWnNjYWxlciBJbmMu
MRUwEwYDVQQLEwxac2NhbGVyIEluYy4xMzAxBgNVBAMTKlpzY2FsZXIgSW50ZXJt
ZWRpYXRlIFJvb3QgQ0EgKHpzY2FsZXIubmV0KTEiMCAGCSqGSIb3DQEJARYTc3Vw
cG9ydEB6c2NhbGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL4QLd8yUoy0a52w3dY74x75nRs0Wgo/Ll+ZM+ZpQcQ6ZwIrfEhtbmjMpG0Lr8GO
SBAooJgRPJv0u3sLm8txwf2yx7/pLfrE2EqXcSCSxnKALI9okSBpsA5kmucoZhso
+5mVv/fcpByVgfp5JsJbAUPK+cCLrda2ua78Z96EMRuoo7BB/HJxwR2YPVVXCzeD
h1z+gD3bLiBYjOUhSDCElgV2VtjW4QEbI1k21w7h5DEF4kpMhgI056k9LEPnTMVO
OsHitAae49aQ9ofHkJEs/AFViHgAjvSEIXbesP6atwoM1ckxJExhlOY2JCmLTM4s
dpRBNbU1guJGD/dbOywolT0CAwEAAaN5MHcwHQYDVR0OBBYEFEySrJqltCqTEfcr
Kf9Zy0Jy5ixhMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH+MDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9nYXRld2F5LnpzY2FsZXIubmV0L2NybC96c24taW50LmNy
bDANBgkqhkiG9w0BAQsFAAOCAQEAWqB60vpdCbG1Etg94sDZrQOfnutq4Me8GQu+
I6zWkHWTdOAPpjuypUh+7EsGouk0K5zaIFmBJRRGEjM7mbKRoj5TWYJPVNRKPfwz
i4S7ZqKogdim0KGvFiO41vXJ9drLWab2pTlh219nN4VmwLnEqq7LgaBpsYW7EQAq
dfg5tqiEvVCLs45tXwv02zth7Cl8UCbmQ/gbokH8p3TL0MZMkub3ls8gKp3n1XQi
Sze6AdXczB9v1lm4ijbjgb7Tqg+2u7MSh+5wwLWWd/CyzYlosrzZtUXIVrc+bH7G
ZlzUn4ScHwxCZx/+Jo3MCWMx1/GjNwliJRF87dK4l7Ss8oV1ag==
-----END CERTIFICATE-----
---
Server certificate
subject=CN=github.com
issuer=C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscaler.net) (t)
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3856 bytes and written 749 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

If I exclude the -CAfile argument then the output includes the line:

Verification error: unable to get local issuer certificate
chrmarti commented 3 months ago

Could you run F1 > Network Proxy Test: Show Built-In Certificates and check if that gives any hints? It looks like Node.js fails while verifying one of the certificates in the certificate chain (unsure if it is the root certificate).

Nu11u5 commented 3 months ago

Could you run F1 > Network Proxy Test: Show Built-In Certificates and check if that gives any hints?

The "Show Built-In Certificates" option does not show the Zscaler CA certificate, but this is expected. It is a private CA certificate used for SSL inspection. However, the certificate does appear with the matching fingerprint when using the "Show OS Certificates".

It looks like Node.js fails while verifying one of the certificates in the certificate chain (unsure if it is the root certificate).

It seems to be an issue with VSCode using the system certificates instead of the build-in certificates when the proxy is transparent and not explicitly set. Likewise, the http.proxyStrictSSL setting has no affect because it seems to only apply when an explicit proxy is set.

Since I am able to bypass the issue using Node.js directly with NPM by setting the NODE_EXTRA_CA_CERTS environment variable this doesn't seem to be an internal issue with Node.js. However I'm surprised that NODE_EXTRA_CA_CERTS doesn't apply to VSCode.

VSCodeTriageBot commented 1 month ago

Hey @chrmarti, this issue might need further attention.

@Nu11u5, you can help us out by closing this issue if the problem no longer exists, or adding more information.

VSCodeTriageBot commented 3 weeks ago

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!