JSON Schema Download - unable to verify the first certificate

[jakauppila]

Issue Type: Bug

I am behind a corporate proxy utilizing VSCode with a JSON document that defines a $schema that lives on the internet. VSCode attempts to download it, but gets an error unable to verify the first certificate.

I've tried configuring the following settings but it doesn't appear to be helping with the JSON schema downloading. I have verified that our proxy certificate is in the Windows certificate store.

{
"http.proxy": "http://MYPROXY:3128",
"http.proxyStrictSSL": false,
"http.systemCertificates": true
}

Here's the JSON document:

{
    "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/3.17.1/as3-schema.json",
    "class": "AS3",
    "action": "deploy",
    "persist": true
}

And the error:

I've verified that I see the same behavior on 1.43.0-insider

VS Code version: Code 1.42.1 (c47d83b293181d9be64f27ff093689e8e7aed054, 2020-02-11T14:45:59.656Z) OS version: Windows_NT x64 10.0.17763

[vscodebot[bot]]

(Experimental duplicate detection) Thanks for submitting this issue. Please also check if it is already covered by an existing one, like:

• Error: self signed certificate in certificate chain (#87839)

[jakauppila]

@chrmarti Let me know if there's any additional information you need or troubleshooting steps you'd like me to do.

[chrmarti]

Adding a log message to understand if any certificates are loaded at all.

[Macroft]

I too am behind a proxy. But what comes with my proxy is a self signed root certificate that has to be added in WSL. (it doesn't carry over from windows)

For ubuntu https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate.

For a full blown Ubuntu install and getting VScode to connect through the proxy/cert, I had to install chrmomium and add the certs there so that VScode could find them.

[definedrisk]

I am having the same issue. First reported with #127769 . That issue was closed as VS Update now shows correct error message "unable to verify the first certificate (768)". But the 'real' issue is really the bug as reported above. See #127769 first report for same problem. In summary:

In my JSON file I have a $schema. This schema references another schema ($ref). I used http:// for both the top level schema (and sub schema) in my json data file. This works correctly. Both schemas are downloaded from the server (IIS server, confirmed in logs). VS Code is using the schema correctly for json IntelliSense and validation.

As soon as I changed to https:// for any schema (top-level or sub using $ref within the schema itself) then that schema file is NOT requested from the server. The logs show no connection request. It is as if the file is not requested ?!? @chrmarti . The self-signed certificates are correctly installed (they work in Edge, Chromium borwsers as I can click on the link in VS Code to open the schema file in the browser). They ALSO WORK on VISUAL STUDIO COMMUNITY edition!! So there is a specific bug with VS Code.

[terryaney]

Ever a resolution to this?

[chrmarti]

We have improved this over time, but there might still be new edge cases coming up.

Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code? Use the JSON schema URL when asked.

[VSCodeTriageBot]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[terryaney]

Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code?

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.88.1 (e170252f762678dec6ca2cc69aba1570769a5d39) Network Proxy Test 0.0.11 win32 10.0.22621 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://qabtr.MYDOMAIN.com/schemas/camelot-appsettings.json... vscode-proxy-agent: DIRECT Received error: unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE) Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://qabtr.MYDOMAIN.com/schemas/camelot-appsettings.json (allowing unauthorized)... vscode-proxy-agent: DIRECT Received response:

• Status: 200 OK Certificate chain:
• Subject: .lifeatworkportal.com (Conduent Business Services, LLC) Subject alt: DNS:.MYDOMAIN.com, DNS:*.MYDOMAIN-2.com Validity: Feb 23 00:00:00 2024 GMT - Feb 22 23:59:59 2025 GMT Fingerprint: XXX (is this sensitive? Not a cert expert, lol) Issuer certificate 'Sectigo RSA Organization Validation Secure Server CA (Sectigo Limited)' not in certificate chain of the server.

Last certificate not verified by OS root certificates. This might indicate an issue with the root certificates registered in your OS:

• Make sure that the root certificate for the certificate chain is registered as such in the OS. Use F1 > Network Proxy Test: Show OS Certificates to see the list loaded by VS Code.
• Also make sure that your proxy and server return the complete certificate chain (except possibly for the root certificate).