x509: certificate signed by unknown authority

[bharatpaliwal-169]

checked every file and reinstalled the extension for about 100 times and regenerated API key also but nothing is working. Please Help

[akaustav]

I am also seeing this error message on my Windows 10 work laptop when I hover over the "WakaTime Error" in the within VSCode status bar (blue bar at the bottom of VSCode). When I opened the C:\Users\<user>\.wakatime.log file, I see the following line repeating over and over:

{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-19T05:26:54-07:00","version":"v1.6.0"}

[gandarez]

Please try setting no-ssl-verify to true at your ~/.wakatime.cfg file.

[settings]
...
no_ssl_verify = true

[akaustav]

Please try setting no-ssl-verify to true at your ~/.wakatime.cfg file.

[settings]
...
no_ssl_verify = true

@gandarez - Thanks. Setting no_ssl_verify=true within ~/.wakatime.cfg file worked for me.

[alanhamlett]

Please upgrade your vscode extension to v10.0.0 to fix the error. We've rolled back wakatime-cli for now until we can fix this error.

[alanhamlett]

@bharatpaliwal-169 and @akaustav to help us debug this, do you have a proxy configured in your ~/.wakatime.cfg file?

[bharatpaliwal-169]

@alanhamlett no there is no proxy configured in /.wakatime.cfg file.

[akaustav]

@bharatpaliwal-169 and @akaustav to help us debug this, do you have a proxy configured in your ~/.wakatime.cfg file?

@alanhamlett - I do NOT have any proxy configured in my ~/.wakatime.cfg file too. Here's how my ~/.wakatime.cfg file looks like at the moment. And this works for me correctly at the moment.

[settings]
api_key = <secret>
proxy=
debug=false
no_ssl_verify=true

[internal]
cli_version = v1.6.0
cli_version_etag = W/"0e48f3b662e054d0697fffe6d3d4a2c6ac002938cf8373ed59f9017e8c37d998"
cli_version_last_modified = Tue, 18 May 2021 00:53:20 GMT

[alanhamlett]

We've released some updates to wakatime-cli now. Can you please add these lines to your ~/.wakatime.cfg file under the [settings] group, then restart VS Code and see if it's fixed?

no_ssl_verify = false
legacy_python_cli = false

(If you already have no_ssl_verify=true, make sure to replace no_ssl_verify to prevent two duplicate keys)

[akaustav]

We've released some updates to wakatime-cli now. Can you please add these lines to your ~/.wakatime.cfg file under the [settings] group, then restart VS Code and see if it's fixed?

no_ssl_verify = false
legacy_python_cli = false

(If you already have no_ssl_verify=true, make sure to replace no_ssl_verify to prevent two duplicate keys)

@alanhamlett - I made the change in my local - where WakaTime was already working. After this change, WakaTime is back to showing the same "WakaTime Error" in the VSCode status bar. There are 2 errors in the ~/.wakatime.log - see below.

Updated ~/.wakatime.cfg file:

[settings]
api_key = <secret>
proxy=
debug=false
no_ssl_verify=false
legacy_python_cli=false

[internal]
cli_version = v1.7.1
cli_version_etag = W/"0e48f3b662e054d0697fffe6d3d4a2c6ac002938cf8373ed59f9017e8c37d998"
cli_version_last_modified = Thu, 20 May 2021 17:01:47 GMT

Errors in ~/.wakatime.log:

{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:46","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-05-20&start=2021-05-20\": x509: certificate signed by unknown authority","now":"2021-05-20T15:25:07-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-20T15:25:12-07:00","version":"v1.7.1"}

[alanhamlett]

@akaustav sorry it looks like wakatime/wakatime-cli#395 wasn't actually merged yet. Now that it's merged could you try again? All you need to do is reload your vscode for it to get the latest update.

[alanhamlett]

After #411 gets merged we'll re-enable Go wakatime-cli for vscode. I'll comment here before doing that, so you know to watch for any errors. Hopefully that fixes it though.

[alanhamlett]

Re-launching Go wakatime-cli in VS Code now, so keep an eye on your WakaTime status bar to make sure the plugin is working if you reload/relaunch your VS Code window.

[akaustav]

Thanks, @alanhamlett. I didn't have time to test this during the weekend. I'll test it in the morning.

[akaustav]

@alanhamlett - I tried - no dice. Installed the latest WakaTime extension for VSCode - v12.0.0. Changed ~/.wakatime.cfg file to the following:

[settings]
api_key = <secret>
proxy=
debug=false
no_ssl_verify=false
legacy_python_cli=false

[internal]
cli_version = v1.7.1
cli_version_etag = W/"0e48f3b662e054d0697fffe6d3d4a2c6ac002938cf8373ed59f9017e8c37d998"
cli_version_last_modified = Thu, 20 May 2021 17:01:47 GMT

When restart VSCode without opening any files, in the status bar I get the WakaTime logo. Upon hovering on the logo, I see WakaTime: Initialized on a tooltip. As soon as I open a file, I see WakaTime Error in the status bar. Errors in ~/.wakatime.log:

{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:04-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:05-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:46","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-05-25&start=2021-05-25\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:15-07:00","version":"v1.7.1"}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:49","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-25T22:01:22-07:00","version":"v1.7.1"}

If it matters, I have the latest (non-insiders) build for VSCode. Following taken from Help > About > Copy within VSCode:

Version: 1.56.2 (user setup)
Commit: 054a9295330880ed74ceaedda236253b4f39a335
Date: 2021-05-12T17:13:13.157Z
Electron: 12.0.4
Chrome: 89.0.4389.114
Node.js: 14.16.0
V8: 8.9.255.24-electron.0
OS: Windows_NT x64 10.0.19042

[akaustav]

@alanhamlett - I noticed that the existing configurations already had white-spaces on either side of the equals symbol. But the lines which I was writing into this file did not have white-spaces around the equals symbols. So, I tried the following in ~/.wakatime.cfg:

[settings]
...
no_ssl_verify = false
legacy_python_cli = false
...

And it still fails with the same errors - worth a shot, I guess. So far, only setting no_ssl_verify = true works.

[alanhamlett]

@akaustav it looks like there was an error with the last release where it wasn't actually published. Can you try again and see if it's fixed by adding the lines to your ~/.wakatime.cfg file? Spaces around the equals sign don't matter:

no_ssl_verify = false
legacy_python_cli = false

[alanhamlett]

@bharatpaliwal-169 @akaustav Would you be willing to attend a video call so we can screen share and debug this issue? It would help a ton, since we haven't been able to reproduce it yet on our Windows test environments.

[akaustav]

@akaustav it looks like there was an error with the last release where it wasn't actually published. Can you try again and see if it's fixed by adding the lines to your ~/.wakatime.cfg file? Spaces around the equals sign don't matter:

no_ssl_verify = false
legacy_python_cli = false

@alanhamlett - Sorry, I was on vacation - hence, slow response. Re-tried - same error in ~/.wakatime.log after I open a file.

{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:44","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-05-31&start=2021-05-31\": x509: certificate signed by unknown authority","now":"2021-05-31T21:52:21-07:00","version":""}
{"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/heartbeat/heartbeat.go:47","func":"Run","level":"fatal","message":"failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-05-31T21:52:29-07:00","version":""}

[alanhamlett]

@akaustav thanks! We're working on figuring out why the bundled SSL cert isn't working in only some Windows environments. I'll update here once we have more details.

[akaustav]

Thanks. BTW, this problem seems to occur in my work laptop running Windows 10 only. Personal Windows 10 laptop with the same version of vscode and wakatime extension seems to work fine. It is possible that the problem may be related to extra certificates which may have been installed on my work laptop (by my admin team) and might not be a problem with your certificates. Or it may be related to your certificates. Not completely sure what can I do to help with the root cause. They may have restrictions on video call + screenshare on my work laptop.

[akaustav]

@alanhamlett - I have found a few items which may help troubleshoot this issue a bit more.

1. When I visit https://wakatime.com/ on my work PC running Windows 10, using Firefox Developer Edition 90.0b4 (64-bit), and inspect the SSL certificates, I see this (redacted my company name in the "Verified by" field):

2. Whereas, when I visit https://wakatime.com/ on my personal Windows 10 PC, using Firefox Developer Edition 90.0b4 (64-bit), and inspect the SSL certificates, I see this - notice the "Verified by" field shows "Let's Encrypt":

3. I followed the steps under the "Firefox : To get self signed certificate" section to obtain the self-signed PEM certificate chain for *.wakatime.com from Firefox. And then used the steps outlined in the "Getting Windows 10 to trust self-signed ssl certificates" section on the same page to import the self-signed certificate chain into my "Trusted Root Certificate Authorities > Certificates" in the Windows 10 Certificate Manager (certmgr.msc).

4. Then, I switched to your suggested settings in the ~/.wakatime.cfg file:

   ...
   no_ssl_verify = false
   legacy_python_cli = false
   ...

5. Restarted my machine and re-opened VSCode. It still fails, but I get a different error message in the ~/.wakatime.log after I open a file now (redacted the portions of the IP addresses with xxx.xxx - let me know if these pieces are required to troubleshoot):

   {"caller":"/home/runner/work/wakatime-cli/wakatime-cli/cmd/legacy/today/today.go:44","func":"Run","level":"fatal","message":"failed fetching summaries from api: failed to make request to \"https://api.wakatime.com/api/v1/users/current/summaries\": Get \"https://api.wakatime.com/api/v1/users/current/summaries?end=2021-06-08&start=2021-06-08\": read tcp 192.168.xxx.xxx:50467->68.xxx.xxx.166:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.","now":"2021-06-08T00:46:19-07:00","version":""}

[alanhamlett]

That means your work computer uses a proxy, which has it's own SSL cert being a MITM between your work machine and WakaTime. When we merged #411, wakatime-cli started using the system's SSL certs which should include your work's proxy cert. Two questions:

1. You imported your company's cert with Windows Certificate Import Wizard or WakaTime's?
2. On your work machine in a Terminal, can programs like git or curl connect to external urls like cloning a github repo or curling WakaTime's home page?

[akaustav]

That means your work computer uses a proxy, which has it's own SSL cert being a MITM between your work machine and WakaTime. When we merged #411, wakatime-cli started using the system's SSL certs which should include your work's proxy cert.

@alanhamlett - You might be right about the proxy + MITM setup. I noticed that the my older Firefox profile was having issues connecting to https websites - even https://www.google.com/. I had to start a fresh Firefox profile and that fixed the connection problems. Answers to your questions inline below.

Two questions:

1. You imported your company's cert with Windows Certificate Import Wizard or WakaTime's?

I think my company's certificate was imported automatically by my company's admin team - using their automated desktop administration tools. I imported WakaTime's public certificate chain (obtained from https://wakatime.com/ in Firefox) with the Windows Certificate Import Wizard. Is there a different way to import / point to a certificate chain file into WakaTime?

2. On your work machine in a Terminal, can programs like git or curl connect to external urls like cloning a github repo or curling WakaTime's home page?

In my windows command prompt (cmd.exe):

1. I am able to run the git clone command successfully. I tried cloning an older tiny repo of mine:

   C:\dev\akaustav>git clone https://github.com/akaustav/finance.git
   Cloning into 'finance'...
   remote: Enumerating objects: 3130, done.
   remote: Total 3130 (delta 0), reused 0 (delta 0), pack-reused 3130
   Receiving objects: 100% (3130/3130), 8.41 MiB | 8.71 MiB/s, done.
   Resolving deltas: 100% (1248/1248), done.
   Updating files: 100% (2738/2738), done.

2. I am unable to run the curl command. I tried running:

   C:\dev\akaustav>curl "https://google.com"
   curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

However, the curl command works if I run it with the --ssl-no-revoke flag - like this:

C:\dev\akaustav>curl "https://google.com" --ssl-no-revoke
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

[alanhamlett]

That curl error is probably the same thing wakatime-cli is running into. Maybe Python wakatime-cli doesn't check for revocation when verifying ssl certs but Go wakatime-cli does.

I imported WakaTime's public certificate chain

That won't work, since your work computer receives the proxy's company cert when connecting to wakatime. The issue here is Go wakatime-cli isn't trusting your company's proxy cert. Let's check if that's the case by running this Terminal command:

wakatime-cli-windows-amd64.exe --verbose --log-to-stdout --today --ssl-certs-file <path to your proxy cert pem file>

Where your proxy cert pem file should be the one that's verified by "My company name here". If that prints something like 0 secs then I think it's that wakatime-cli can't find your proxy's cert on the system. If it prints an error, then depending on the error message it's probably that wakatime-cli finds your proxy's cert but isn't trusting it maybe for the same reason as curl.

[alanhamlett]

Actually, it looks like Go doesn't check cert revocation so it must be just not finding the proxy cert due to it not being in the system pool or from a hostname mismatch.

[alanhamlett]

We can disable hostname verification, but that decreases security for everyone. Python also checks the hostname of the cert and Python is working, so maybe Go is checking it slightly differently somehow.

[alanhamlett]

Now that we have logs aggregation, I'm seeing these error logs from Windows users that might be the same as this issue:

{"caller":"/wakatime-cli/wakatime-cli/pkg/api/transport.go:110","func":"CACerts","level":"warning","message":"unable to use system cert pool: crypto/x509: system root pool is not available on Windows","now":"2021-07-03T17:35:43+02:00","version":"v1.18.7"}
{"caller":"/wakatime-cli/wakatime-cli/pkg/api/transport.go:114","func":"CACerts","level":"warning","message":"system cert pool empty","now":"2021-07-03T17:35:43+02:00","version":"v1.18.7"}
{"caller":"/wakatime-cli/wakatime-cli/cmd/legacy/run.go:189","func":"runCmd","level":"error","message":"failed to run command: failed to send heartbeat(s): failed to send heartbeats via api client: failed making request to \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": Post \"https://api.wakatime.com/api/v1/users/current/heartbeats.bulk\": x509: certificate signed by unknown authority","now":"2021-07-03T17:35:44+02:00","version":"v1.18.7"}

The system root pool is not available on Windows error means Go can only use the system CACerts on Linux and other non-Windows platforms?

[dron22]

@alanhamlett Somehow they reverted the existing functionality for loading system roots in go 1.8, as you can see here: https://github.com/golang/go/blob/master/src/crypto/x509/root_windows.go#L286

Issue is explained in: https://github.com/golang/go/issues/18609. Windows obviously does not ship with all root certificates installed, but downloads some on-demand.

[gandarez]

Workaround for now would be disabling SSL as fallback on Windows?

[alanhamlett]

Workaround for now would be disabling SSL as fallback on Windows?

No, it's not safe.

Looks like there are two workarounds:

1. https://github.com/golang/go/issues/16736#issuecomment-540373689
2. https://github.com/golang/go/pull/26770

We could use that code in our project to get the system root certs on Windows without SystemCertPool.

[alanhamlett]

Let's just implement our own root_windows.go without the if true, then use that instead of x509.SystemCertPool() on Windows here:

https://github.com/wakatime/wakatime-cli/blob/e434f95b2a40987339c6aa700594ed44302d9351/pkg/api/transport.go#L108

The reason they disabled getting root certs on Windows was because the implementation only returned root certs already used at least once, and was missing any root certs not yet used. Apparently because Windows lazy-downloads root certs on first use. For us, this doesn't matter because we bundle our root cert and the only time we need system certs is for corporate proxies where the root cert will already be installed.

[alanhamlett]

@bharatpaliwal-169 @akaustav please delete the lines no_ssl_verify and legacy_python_cli from your ~/.wakatime.cfg and let me know if it's fixed after restarting vscode?

[akaustav]

@bharatpaliwal-169 @akaustav please delete the lines no_ssl_verify and legacy_python_cli from your ~/.wakatime.cfg and let me know if it's fixed after restarting vscode?

@alanhamlett - You are correct. It looks fixed now.