Closed bharatpaliwal-169 closed 3 years ago
I am also seeing this error message on my Windows 10 work laptop when I hover over the "WakaTime Error" in the within VSCode status bar (blue bar at the bottom of VSCode). When I opened the C:\Users\<user>\.wakatime.log
file, I see the following line repeating over and over:
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-19T05:26:54-07:00","version":"v1.6.0"}
Please try setting no-ssl-verify
to true at your ~/.wakatime.cfg
file.
[settings]
...
no_ssl_verify = true
Please try setting
no-ssl-verify
to true at your~/.wakatime.cfg
file.[settings] ... no_ssl_verify = true
@gandarez - Thanks. Setting no_ssl_verify=true
within ~/.wakatime.cfg
file worked for me.
Please upgrade your vscode extension to v10.0.0 to fix the error. We've rolled back wakatime-cli for now until we can fix this error.
@bharatpaliwal-169 and @akaustav to help us debug this, do you have a proxy configured in your ~/.wakatime.cfg
file?
@alanhamlett no there is no proxy configured in /.wakatime.cfg
file.
@bharatpaliwal-169 and @akaustav to help us debug this, do you have a proxy configured in your
~/.wakatime.cfg
file?
@alanhamlett - I do NOT have any proxy configured in my ~/.wakatime.cfg
file too. Here's how my ~/.wakatime.cfg
file looks like at the moment. And this works for me correctly at the moment.
[settings]
api_key = <secret>
proxy=
debug=false
no_ssl_verify=true
[internal]
cli_version = v1.6.0
cli_version_etag = W/"0e48f3b662e054d0697fffe6d3d4a2c6ac002938cf8373ed59f9017e8c37d998"
cli_version_last_modified = Tue, 18 May 2021 00:53:20 GMT
We've released some updates to wakatime-cli now. Can you please add these lines to your ~/.wakatime.cfg
file under the [settings]
group, then restart VS Code and see if it's fixed?
no_ssl_verify = false
legacy_python_cli = false
(If you already have no_ssl_verify=true
, make sure to replace no_ssl_verify
to prevent two duplicate keys)
We've released some updates to wakatime-cli now. Can you please add these lines to your
~/.wakatime.cfg
file under the[settings]
group, then restart VS Code and see if it's fixed?no_ssl_verify = false legacy_python_cli = false
(If you already have
no_ssl_verify=true
, make sure to replaceno_ssl_verify
to prevent two duplicate keys)
@alanhamlett - I made the change in my local - where WakaTime was already working. After this change, WakaTime is back to showing the same "WakaTime Error" in the VSCode status bar. There are 2 errors in the ~/.wakatime.log
- see below.
Updated ~/.wakatime.cfg
file:
[settings]
api_key = <secret>
proxy=
debug=false
no_ssl_verify=false
legacy_python_cli=false
[internal]
cli_version = v1.7.1
cli_version_etag = W/"0e48f3b662e054d0697fffe6d3d4a2c6ac002938cf8373ed59f9017e8c37d998"
cli_version_last_modified = Thu, 20 May 2021 17:01:47 GMT
Errors in ~/.wakatime.log
:
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:46","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-05-20&start=2021-05-20\": x509: certificate signed by unknown authority","now":"2021-05-20T15:25:07-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-20T15:25:12-07:00","version":"v1.7.1"}
@akaustav sorry it looks like wakatime/wakatime-cli#395 wasn't actually merged yet. Now that it's merged could you try again? All you need to do is reload your vscode for it to get the latest update.
After #411 gets merged we'll re-enable Go wakatime-cli for vscode. I'll comment here before doing that, so you know to watch for any errors. Hopefully that fixes it though.
Re-launching Go wakatime-cli in VS Code now, so keep an eye on your WakaTime status bar to make sure the plugin is working if you reload/relaunch your VS Code window.
Thanks, @alanhamlett. I didn't have time to test this during the weekend. I'll test it in the morning.
@alanhamlett - I tried - no dice.
Installed the latest WakaTime extension for VSCode - v12.0.0
.
Changed ~/.wakatime.cfg
file to the following:
[settings]
api_key = <secret>
proxy=
debug=false
no_ssl_verify=false
legacy_python_cli=false
[internal]
cli_version = v1.7.1
cli_version_etag = W/"0e48f3b662e054d0697fffe6d3d4a2c6ac002938cf8373ed59f9017e8c37d998"
cli_version_last_modified = Thu, 20 May 2021 17:01:47 GMT
When restart VSCode without opening any files, in the status bar I get the WakaTime logo. Upon hovering on the logo, I see WakaTime: Initialized
on a tooltip.
As soon as I open a file, I see WakaTime Error
in the status bar.
Errors in ~/.wakatime.log
:
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:04-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:05-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:46","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-05-25&start=2021-05-25\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:15-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:22-07:00","version":"v1.7.1"}
If it matters, I have the latest (non-insiders) build for VSCode. Following taken from Help
> About
> Copy
within VSCode:
Version: 1.56.2 (user setup)
Commit: 054a9295330880ed74ceaedda236253b4f39a335
Date: 2021-05-12T17:13:13.157Z
Electron: 12.0.4
Chrome: 89.0.4389.114
Node.js: 14.16.0
V8: 8.9.255.24-electron.0
OS: Windows_NT x64 10.0.19042
@alanhamlett - I noticed that the existing configurations already had white-spaces on either side of the equals symbol.
But the lines which I was writing into this file did not have white-spaces around the equals symbols.
So, I tried the following in ~/.wakatime.cfg
:
[settings]
...
no_ssl_verify = false
legacy_python_cli = false
...
And it still fails with the same errors - worth a shot, I guess.
So far, only setting no_ssl_verify = true
works.
@akaustav it looks like there was an error with the last release where it wasn't actually published. Can you try again and see if it's fixed by adding the lines to your ~/.wakatime.cfg
file? Spaces around the equals sign don't matter:
no_ssl_verify = false
legacy_python_cli = false
@bharatpaliwal-169 @akaustav Would you be willing to attend a video call so we can screen share and debug this issue? It would help a ton, since we haven't been able to reproduce it yet on our Windows test environments.
@akaustav it looks like there was an error with the last release where it wasn't actually published. Can you try again and see if it's fixed by adding the lines to your
~/.wakatime.cfg
file? Spaces around the equals sign don't matter:no_ssl_verify = false legacy_python_cli = false
@alanhamlett - Sorry, I was on vacation - hence, slow response. Re-tried - same error in ~/.wakatime.log
after I open a file.
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:44","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-05-31&start=2021-05-31\": x509: certificate signed by unknown authority","now":"2021-05-31T21:52:21-07:00","version":""}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:47","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-31T21:52:29-07:00","version":""}
@akaustav thanks! We're working on figuring out why the bundled SSL cert isn't working in only some Windows environments. I'll update here once we have more details.
Thanks. BTW, this problem seems to occur in my work laptop running Windows 10 only. Personal Windows 10 laptop with the same version of vscode and wakatime extension seems to work fine. It is possible that the problem may be related to extra certificates which may have been installed on my work laptop (by my admin team) and might not be a problem with your certificates. Or it may be related to your certificates. Not completely sure what can I do to help with the root cause. They may have restrictions on video call + screenshare on my work laptop.
@alanhamlett - I have found a few items which may help troubleshoot this issue a bit more.
When I visit https://wakatime.com/ on my work PC running Windows 10, using Firefox Developer Edition 90.0b4 (64-bit), and inspect the SSL certificates, I see this (redacted my company name in the "Verified by" field):
Whereas, when I visit https://wakatime.com/ on my personal Windows 10 PC, using Firefox Developer Edition 90.0b4 (64-bit), and inspect the SSL certificates, I see this - notice the "Verified by" field shows "Let's Encrypt":
I followed the steps under the "Firefox : To get self signed certificate" section to obtain the self-signed PEM certificate chain for *.wakatime.com
from Firefox. And then used the steps outlined in the "Getting Windows 10 to trust self-signed ssl certificates" section on the same page to import the self-signed certificate chain into my "Trusted Root Certificate Authorities > Certificates" in the Windows 10 Certificate Manager (certmgr.msc
).
Then, I switched to your suggested settings in the ~/.wakatime.cfg
file:
...
no_ssl_verify = false
legacy_python_cli = false
...
Restarted my machine and re-opened VSCode. It still fails, but I get a different error message in the ~/.wakatime.log
after I open a file now (redacted the portions of the IP addresses with xxx.xxx
- let me know if these pieces are required to troubleshoot):
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:44","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-06-08&start=2021-06-08\": read tcp 192.168.xxx.xxx:50467->68.xxx.xxx.166:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.","now":"2021-06-08T00:46:19-07:00","version":""}
That means your work computer uses a proxy, which has it's own SSL cert being a MITM between your work machine and WakaTime. When we merged #411, wakatime-cli started using the system's SSL certs which should include your work's proxy cert. Two questions:
Windows Certificate Import Wizard
or WakaTime's?git
or curl
connect to external urls like cloning a github repo or curling WakaTime's home page?That means your work computer uses a proxy, which has it's own SSL cert being a MITM between your work machine and WakaTime. When we merged #411, wakatime-cli started using the system's SSL certs which should include your work's proxy cert.
@alanhamlett - You might be right about the proxy + MITM setup. I noticed that the my older Firefox profile was having issues connecting to https websites - even https://www.google.com/. I had to start a fresh Firefox profile and that fixed the connection problems. Answers to your questions inline below.
Two questions:
- You imported your company's cert with
Windows Certificate Import Wizard
or WakaTime's?
I think my company's certificate was imported automatically by my company's admin team - using their automated desktop administration tools. I imported WakaTime's public certificate chain (obtained from https://wakatime.com/ in Firefox) with the Windows Certificate Import Wizard
. Is there a different way to import / point to a certificate chain file into WakaTime?
- On your work machine in a Terminal, can programs like
git
orcurl
connect to external urls like cloning a github repo or curling WakaTime's home page?
In my windows command prompt (cmd.exe
):
git clone
command successfully. I tried cloning an older tiny repo of mine:
C:\dev\akaustav>git clone https://github.com/akaustav/finance.git
Cloning into 'finance'...
remote: Enumerating objects: 3130, done.
remote: Total 3130 (delta 0), reused 0 (delta 0), pack-reused 3130
Receiving objects: 100% (3130/3130), 8.41 MiB | 8.71 MiB/s, done.
Resolving deltas: 100% (1248/1248), done.
Updating files: 100% (2738/2738), done.
curl
command. I tried running:
C:\dev\akaustav>curl "https://google.com"
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
However, the curl command works if I run it with the --ssl-no-revoke
flag - like this:
C:\dev\akaustav>curl "https://google.com" --ssl-no-revoke
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
That curl error is probably the same thing wakatime-cli is running into. Maybe Python wakatime-cli doesn't check for revocation when verifying ssl certs but Go wakatime-cli does.
I imported WakaTime's public certificate chain
That won't work, since your work computer receives the proxy's company cert when connecting to wakatime. The issue here is Go wakatime-cli isn't trusting your company's proxy cert. Let's check if that's the case by running this Terminal command:
wakatime-cli-windows-amd64.exe --verbose --log-to-stdout --today --ssl-certs-file <path to your proxy cert pem file>
Where your proxy cert pem file should be the one that's verified by "My company name here". If that prints something like 0 secs
then I think it's that wakatime-cli can't find your proxy's cert on the system. If it prints an error, then depending on the error message it's probably that wakatime-cli finds your proxy's cert but isn't trusting it maybe for the same reason as curl.
Actually, it looks like Go doesn't check cert revocation so it must be just not finding the proxy cert due to it not being in the system pool or from a hostname mismatch.
We can disable hostname verification, but that decreases security for everyone. Python also checks the hostname of the cert and Python is working, so maybe Go is checking it slightly differently somehow.
Now that we have logs aggregation, I'm seeing these error logs from Windows users that might be the same as this issue:
{"caller":"/wakatime-cli/wakatime-cli/pkg/api/transport.go:110","func":"CACerts","level":"warning","message":"unable to use system cert pool: crypto/x509: system root pool is not available on Windows","now":"2021-07-03T17:35:43+02:00","version":"v1.18.7"}
{"caller":"/wakatime-cli/wakatime-cli/pkg/api/transport.go:114","func":"CACerts","level":"warning","message":"system cert pool empty","now":"2021-07-03T17:35:43+02:00","version":"v1.18.7"}
{"caller":"/wakatime-cli/wakatime-cli/cmd/legacy/run.go:189","func":"runCmd","level":"error","message":"failed to run command: failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-07-03T17:35:44+02:00","version":"v1.18.7"}
The system root pool is not available on Windows
error means Go can only use the system CACerts on Linux and other non-Windows platforms?
@alanhamlett Somehow they reverted the existing functionality for loading system roots in go 1.8, as you can see here: https://github.com/golang/go/blob/master/src/crypto/x509/root_windows.go#L286
Issue is explained in: https://github.com/golang/go/issues/18609. Windows obviously does not ship with all root certificates installed, but downloads some on-demand.
Workaround for now would be disabling SSL as fallback on Windows?
Workaround for now would be disabling SSL as fallback on Windows?
No, it's not safe.
Looks like there are two workarounds:
We could use that code in our project to get the system root certs on Windows without SystemCertPool
.
Let's just implement our own root_windows.go without the if true
, then use that instead of x509.SystemCertPool()
on Windows here:
The reason they disabled getting root certs on Windows was because the implementation only returned root certs already used at least once, and was missing any root certs not yet used. Apparently because Windows lazy-downloads root certs on first use. For us, this doesn't matter because we bundle our root cert and the only time we need system certs is for corporate proxies where the root cert will already be installed.
@bharatpaliwal-169 @akaustav please delete the lines no_ssl_verify
and legacy_python_cli
from your ~/.wakatime.cfg
and let me know if it's fixed after restarting vscode?
@bharatpaliwal-169 @akaustav please delete the lines
no_ssl_verify
andlegacy_python_cli
from your~/.wakatime.cfg
and let me know if it's fixed after restarting vscode?
@alanhamlett - You are correct. It looks fixed now.
checked every file and reinstalled the extension for about 100 times and regenerated API key also but nothing is working. Please Help