vscode icon indicating copy to clipboard operation
vscode copied to clipboard
verified publisher icon microsoft

Error when installing extensions when using HTTP proxy

Open merlinz01 opened this issue 1 year ago • 9 comments

Does this issue occur when all extensions are disabled?: Yes

  • VS Code Version: 1.97.0
  • OS Version: Linux Mint 22.1

Steps to Reproduce:

  1. Go to the extensions panel in VSCode.
  2. Search for an extension. This part works.
  3. Click the Install button on the extension.

Which always gives this error in the output panel:

2025-02-06 20:11:07.312 [error] [Window] Error: net::ERR_INVALID_ARGUMENT
    at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10511)
    at SimpleURLLoaderWrapper.emit (node:events:518:28)
2025-02-06 20:11:07.346 [error] [Window] net::ERR_INVALID_ARGUMENT: Error: net::ERR_INVALID_ARGUMENT
    at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10511)
    at SimpleURLLoaderWrapper.emit (node:events:518:28)

The results of the network proxy test are below:

VS Code 1.97.0 (33fc5a94a3f99ebe7087e8fe79fbe1d37a251016)
Network Proxy Test 0.0.16
linux 6.8.0-52-generic x64

Settings:
- http.proxy: http://user:pass@proxy:port
  - globalLocalValue: http://user:pass@proxy:port
  - globalValue: http://user:pass@proxy:port
- http.proxyAuthorization: user:pass
  - globalLocalValue: user:pass
  - globalValue: user:pass
- http.proxyStrictSSL: false
  - globalLocalValue: false
  - globalValue: false
- http.electronFetch: true
  - globalLocalValue: true
  - globalValue: true
- http.experimental.systemCertificatesV2: true
  - globalLocalValue: true
  - globalValue: true

Environment variables:
HTTPS_PROXY=http://user:pass@proxy:port
HTTP_PROXY=http://user:pass@proxy:port
NO_PROXY=nuget.org
http_proxy=http://user:pass@proxy:port
https_proxy=http://user:pass@proxy:port

DNS:
- Servers: 127.0.0.53
- Result Order: ipv4first
- Auto Select Family: true
- Auto Select Family Attempt Timeout: 250
- Lookup: 140.82.114.4 (158 ms)

Proxy:
- URL: http://user:pass@proxy:port (1 ms)
- Connection: 407 Proxy Authentication Required
	proxy-authenticate: Basic realm="HTTP Proxy" (3 ms)

Sending GET request to https://github.com...
Received response:
- Status: 200 OK
Certificate chain:
- Subject: github.com
  Subject alt: DNS:github.com
  Validity: Feb  5 05:00:00 2025 GMT - Feb  8 05:00:00 2025 GMT
  Fingerprint: 25:02:9A:BD:FD:C4:BD:AF:E2:8C:09:CB:61:5D:6F:41:F4:CF:2B:57
- (Proxy certificates)
Local root certificates:
- (Proxy root certificate)

Sending GET request to https://github.com using fetch from Electron...
Received response:
- Status: 200 

Sending GET request to https://github.com using fetch from Node.js...
Received response:
- Status: 200 OK

Sending GET request to https://github.com using fetch from Node.js (allow HTTP2)...
Received response:
- Status: 200

merlinz01 avatar Feb 07 '25 01:02 merlinz01

@chrmarti from #12588

merlinz01 avatar Feb 07 '25 01:02 merlinz01

Now in VSCode 1.99, Copilot can't sign in, same error. 😦

merlinz01 avatar Apr 04 '25 19:04 merlinz01

How strange! https://github.com/microsoft/vscode/issues/176609#issuecomment-1477211460 fixed it. This should be either documented or fixed.

merlinz01 avatar Apr 04 '25 19:04 merlinz01

The default for http.proxyAuthorization is already null. Does it still work?

chrmarti avatar Apr 07 '25 09:04 chrmarti

Yes, it also works if I remove that setting. It initially asked for authentication but it hasn't since, which makes sense. Maybe http.proxyAuthorization should be marked as deprecated?

merlinz01 avatar Apr 07 '25 16:04 merlinz01

EDIT: This works as designed, unfortunately.

See https://stackoverflow.com/a/75989394 for an explanation. TL;DR Electron doesn't allow options like NODE_OPTIONS or NODE_EXTRA_CA_CERTS in general.

Very unfortunate.

Same here. My company uses SSL introspection via Watchguard. Thus every SSL certificate is replaced with a custom cert signed by our internal CA.

The CA root certificate is installed on each machine. All openssl-based CLI work as expected. Once added to the browser trust store, Firefox and Chromium work, too. Only node.js-based apps fail to pick up that extra CA certificate.

I added an env variable NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to my profile which points to a PEM encoded collection of trusted CAs. My custom CA is included, too.

I also installed the extension https://marketplace.visualstudio.com/items?itemName=pharndt.node-extra-ca-certs-vscode from the marketplace to help.

But yet vscode still fails to connect to SSL sites. No updates, extensions, not even the user avatar image from GitLens.

Is there anything I can do?

datenimperator avatar May 21 '25 08:05 datenimperator

VS Code automatically loads OS certificates. Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code?

If you cannot install the extension through the Extensions viewlet in VS Code, you can download it from the browser here: https://github.com/chrmarti/vscode-network-proxy-test/releases and then install the downloaded VSIX with F1 > Extensions: Install VSIX....

chrmarti avatar May 23 '25 08:05 chrmarti

@chrmarti thx, brilliant extension!

As per the debug log, node.js can connect but Electron cannot.

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.100.2 (848b80aeb52026648a8ff9f7c45a9b0a80641e2e)
Network Proxy Test 0.0.17
linux 6.11.0-26-generic x64

DNS:
- Servers: 127.0.0.53
- Result Order: ipv4first
- Auto Select Family: true
- Auto Select Family Attempt Timeout: 250
- Lookup: 104.212.67.219, 2620:1ec:27:e61f::cafe:e61f (51 ms)

Proxy:
- URL: None (2 ms)

Sending GET request to https://update.code.visualstudio.com...
Received response:
- Status: 200 OK
Certificate chain:
- Subject: update.code.visualstudio.com (Microsoft Corporation)
  Subject alt: DNS:update.code.visualstudio.com
  Validity: Apr 10 16:41:10 2025 GMT - Oct  7 16:41:10 2025 GMT
  Fingerprint: DF:17:11:2A:F1:98:BB:CF:11:64:FC:05:5A:C8:4E:80:BB:1C:A2:FA
- Subject: fw-proxy.company.com (Company)
  Subject alt: DNS:fw.company.com, DNS:xx.xx.xx.xx
  Validity: Nov 25 12:03:29 2024 GMT - Apr 12 12:03:29 2052 GMT
  Fingerprint: 5D:25:01:D4:2A:9E:FB:EA:49:78:F7:7C:1F:E7:DB:AB:5A:A8:6F:FB
- Subject: ca.company.com (Company)
  Validity: Oct 29 10:22:39 2024 GMT - Mar 16 10:22:39 2052 GMT
  Fingerprint: E1:7D:B2:F8:19:ED:74:45:C8:DB:2F:30:A5:B0:F8:4A:94:26:4E:40
  Self-signed
Local root certificates:
- Subject: C=DE ST=NRW L=City O=Company CN=ca.company.com [email protected] (OS)
  Validity: Oct 29 10:22:39 2024 GMT - Mar 16 10:22:39 2052 GMT
  Fingerprint: E1:7D:B2:F8:19:ED:74:45:C8:DB:2F:30:A5:B0:F8:4A:94:26:4E:40
  Issuer: C=DE ST=NRW L=City O=Company CN=ca.company.com [email protected]

Sending GET request to https://update.code.visualstudio.com using fetch from Electron...
Received error: Error: net::ERR_CERT_AUTHORITY_INVALID
	at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10511)
	at SimpleURLLoaderWrapper.emit (node:events:524:28)

Sending GET request to https://update.code.visualstudio.com using fetch from Node.js...
Received response:
- Status: 200 OK

Sending GET request to https://update.code.visualstudio.com using fetch from Node.js (allow HTTP2)...
Received response:
- Status: 200 OK

datenimperator avatar May 23 '25 08:05 datenimperator

I also tried with https://marketplace.visualstudio.com/items?itemName=pharndt.node-extra-ca-certs-vscode disabled - same result as above.

datenimperator avatar May 23 '25 09:05 datenimperator

Make sure you have the proxy's CA certificate installed as root certificate in your OS.

On Linux (which you are using?) Electron should read /etc/ssl/certs/ca-certificates.crt (or a similar path depending on your distro).

chrmarti avatar May 30 '25 12:05 chrmarti

I'm using Linux Mint. As I wrote before:

I added an env variable NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to my profile which points to a PEM encoded collection of trusted CAs. My custom CA is included, too.

The file is really there:

$ file /etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt: PEM certificate

It also contains my custom root CA. Applications linked to OpenSSL seem to pick it up fine. If Electron actually read that file, too, it'd find the matching root certificate. Yet, it doesn't. Eg when looking for updates:

2025-05-30 15:28:43.651 [info] update#setState checking for updates
2025-05-30 15:28:43.944 [error] #10: https://update.code.visualstudio.com/api/update/linux-x64/stable/848b80aeb52026648a8ff9f7c45a9b0a80641e2e?bg=true - error undefined net::ERR_CERT_AUTHORITY_INVALID
2025-05-30 15:28:43.945 [error] Error: net::ERR_CERT_AUTHORITY_INVALID
    at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/browser_init:2:118774)
    at SimpleURLLoaderWrapper.emit (node:events:524:28)
2025-05-30 15:28:43.945 [info] update#setState idle

datenimperator avatar May 30 '25 13:05 datenimperator

You also have to add it to the NSS DB with something like certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "MyCustomCA" -i /path/to/ca.crt.

I was under the impression that Electron nowadays also loads /etc/ssl/certs/ca-certificates.crt, but I must have misread the docs.

chrmarti avatar Jun 03 '25 08:06 chrmarti

@chrmarti thx a lot for pointing me towards NSSDB. After adding the certificate, VScode can update without an error.

datenimperator avatar Jun 03 '25 12:06 datenimperator