[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign corneliusludmann, geropl after the PR has been reviewed.
You can assign the PR to them by writing /assign @corneliusludmann @geropl in a comment when ready.

Associated issue: #5872

The full list of commands accepted by this bot can be found here.

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.0

@iQQBot I tried to run the build but it fails: https://werft.gitpod-dev.com/job/gitpod-build-pd-local-app-add-other-arch-support-fork.0

@iQQBot I tried to run the build but it fails: https://werft.gitpod-dev.com/job/gitpod-build-pd-local-app-add-other-arch-support-fork.0

I will take a look

@akosyakov The two problems above have been fixed, please try the build again

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.1

Codecov Report

Merging #5944 (26618a7) into main (fad83ab) will not change coverage.
The diff coverage is n/a.

❗ Current head 26618a7 differs from pull request most recent head ac3f037. Consider uploading reports for the commit ac3f037 to get more accurate results

@@           Coverage Diff           @@
##             main    #5944   +/-   ##
=======================================
  Coverage   19.04%   19.04%           
=======================================
  Files           2        2           
  Lines         168      168           
=======================================
  Hits           32       32           
  Misses        134      134           
  Partials        2        2           

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fad83ab...ac3f037. Read the comment docs.

@jeanp413 @filiptronicek Could you please check that you can still open a workspace in VS Code Desktop with this PR? I need to verify backward compatibility on linux and windows.

I failed to open it on Mac getting:

[10/4/2021, 8:42:47 AM] failed to open uri: FetchError: request to https://pd-local-app-add-other-arch-support-fork.staging.gitpod-dev.com/static/bin/gitpod-local-companion-darwin failed, reason: certificate has expired

@iQQBot I checked internally and the certificate is valid, also I validated with other envs that VS Code Desktop is still working. It seems to be broken only with this PR.

Is your time error ? @akosyakov

use curl download is ok

This PR does not modify anything related to the certificate

Please ping me when its ready and you need my review

Please ping me when its ready and you need my review

I can't test in dev environment

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.2

@akosyakov works for me in vscode insiders on Ubuntu

I am trying to test on Windows, but still keep running into the certificate error, @akosyakov do you know of any way to circumvent / get rid of this error at least for testing?

It seem a bug fromvscode and let's encrypt, since DST Root CA X3 Expiration is expire on Sep. 30
you can use a proxy with mitm to bypass it @akosyakov @filiptronicek

you can see it
and gitpod.io is not using let's encrypt, so there is no problem

if you can modify kubernetes cluster, you can find cert and delete last chain like this

which is a cross-signed ROOT CA, it direct trust in popular system

after delete , you will got

and it works!

@akosyakov @filiptronicek

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.3

@meysholdt remember to delete last CA chain

I'm trying to understand where the outdated letsencrypt cert comes from. I can't reproduce it by running curl https://pd-local-app-add-other-arch-support-fork.staging.gitpod-dev.com/static/bin/gitpod-local-companion-darwin --output foo.bin

How can I reproduce it?

use openssl s_client -connect pd-local-app-add-other-arch-support-fork.staging.gitpod-dev.com:443 @meysholdt

and more document is here https://letsencrypt.org/certificates/

because the automatic generate cert is full chain, site cert + IntermediateCA + rootCA
but let's encrypt rootCA is using a expire Cross Signing, in some version openssl library, it cause error
Considering that new root CA certificates have been built into the mainstream operating systems, deleting the redundant and problematic root CA directly in the certificate chain can solve this problem

@meysholdt i made #6043 PR to delete rootCA section

@akosyakov @filiptronicek @meysholdt certificate issue has been resolved by #6043 (comment)

You can build again to use new certificate

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.4

@iQQBot I changed the PR description that issues does not get closed till we actually update docs and VS Code extension.

@meysholdt @aledbf I still get the same errors. Should we rebase the PR on main?

@akosyakov Can you send tls.crt ? Let's see what the problem is.
in openssl there still have 3 chain

and I rebase the PR on main

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.5

still have problem in dev

@aledbf

you can manual fix this by #5944 (comment) just for this test.

but it not a problem on gitpod.io which is not use let's encrypt

/werft run

👍 started the job as gitpod-build-pd-local-app-add-other-arch-support-fork.6

I notice the cert is signed at Oct 4 05:35:09 2021 GMT

For the same domain name cert-manage does not generate a new certificate, so the new policy cannot be applied
This may require manual actions to remove the root CA or regenerate a new certificate

@aledbf @akosyakov

@iQQBot Could you try to create another PR from another branch?

@akosyakov of course

@akosyakov new PR is #6064