Remote extension installation ignores proxy settings

[Rhahkeem]

We have written the needed data into your clipboard because it was too large to send. Please paste.

Issue Type: Bug

I'm behind a company proxy so I usually need to add these settings when installing something for VScode.
When trying to install an extension in my container by using the .devcontainer.json file

{
    "dockerFile": "Dockerfile",
    "extensions": [
        "ms-vscode.cpptools"
    ],
    "runArgs": [
        "--cap-add=SYS_PTRACE",
        "--security-opt",
        "seccomp=unconfined"
    ],
    "settings": {
        "http.proxyStrictSSL": false,
        "http.proxy": "http://myproxy.com:81"
    }
}

Fails to actually use these settings or my own vscode settings to install through the proxy. From what I can tell these settings only apply within the container to install anything supplementary used by the extension (ie C++ needs to install 4 extra things). Weirdly if I try to install via the UI it works with no issue.
I think the codepath to install extensions within the container isn't respecting any proxy settings set in VSCode itself.
From the trace it also looks like it tries to install the extension via an IP Address instead of a url which is also explicitly blocked on our end.

When adding exports to my container

ENV http_proxy=http://myproxy.com:81 \
       https_proxy=http://myproxy.com:81

I get an error self signed certificate in certificate chain :-(

Extension version: 0.66.0
VS Code version: Code 1.36.1 (2213894ea0415ee8c85c5eea0d0ff81ecc191529, 2019-07-08T22:56:38.504Z)
OS version: Darwin x64 18.6.0
Remote OS version: Linux x64 4.9.125-linuxkit

System Info

Item	Value
CPUs	Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (8 x 2500)
GPU Status	2d_canvas: enabled flash_3d: enabled flash_stage3d: enabled flash_stage3d_baseline: enabled gpu_compositing: enabled multiple_raster_threads: enabled_on native_gpu_memory_buffers: enabled oop_rasterization: disabled_off protected_video_decode: unavailable_off rasterization: enabled skia_deferred_display_list: disabled_off skia_renderer: disabled_off surface_synchronization: enabled_on video_decode: enabled viz_display_compositor: disabled_off webgl: enabled webgl2: enabled
Load (avg)	4, 3, 4
Memory (System)	16.00GB (0.02GB free)
Process Argv	-psn_0_2970325
Screen Reader	no
VM	33%

Item	Value
Remote	Dev Container
OS	Linux x64 4.9.125-linuxkit
CPUs	Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (4 x 2492)
Memory (System)	5.82GB (1.84GB free)
VM	0%

[bsoudan]

Having the same issue, behind a MITM SSL proxy. Extra certificates are in fact installed in the container, and if I use a shell from inside the container, I can wget/curl https:// URLs just fine.

#587 is the exact problem I am seeing, but it was closed for some reason.

[d-little]

Similar boat, container builds successfully and then hangs on TLSSocket errors when attempting to 'Install VS Code Server'

Run: docker exec <hash1> /bin/sh -c set -o noclobber ; mkdir -p '/root/.vscode-server/data/Machine' && { > '/root/.vscode-server/data/Machine/.copyGitConfigMarker' ; } 2> /dev/null
Run: docker exec <hash1> test -e /root/.gitconfig
Run: docker cp C:\Users\user\.gitconfig <hash1>:/root/.gitconfig --follow-link
Run: docker exec -w /root -u root <hash1> chown root:0 /root/.gitconfig
Run: docker exec <hash1> test -d /root/.vscode-server/bin/2213894ea0415ee8c85c5eea0d0ff81ecc191529
Installing VS Code Server for commit 2213894ea0415ee8c85c5eea0d0ff81ecc191529
Run: docker exec <hash1> mkdir -p /root/.vscode-server/bin/2213894ea0415ee8c85c5eea0d0ff81ecc191529_1563393277475
Error: unable to get local issuer certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1049:34)
        at TLSSocket.emit (events.js:182:13)
        at TLSSocket._finishInit (_tls_wrap.js:631:8)

[jabbera]

This isn't happening from in the container. VSCode is trying to download this file to your host, then copy it to the container. Setting: NODE_TLS_REJECT_UNAUTHORIZED=0 sorts it, but is horribly insecure.

[Rhahkeem]

This isn't happening from in the container.

Probably not. But the fact I can't install using the .devcontainer.json but can do it via the UI shows there's definitely 2 different code paths being taken.

Without setting the proxies in the container I just get

connect ECONNREFUSED 13.107.42.18:443

[Rhahkeem]

Was able to also reproduce this error when running on Windows.

[midacts]

I'm getting this error as well.

Extension version: 0.66.0
VS Code version: Code 1.36.1

[sandy081]

Weirdly if I try to install via the UI it works with no issue.

Looks like the container spinning up is not updating the settings before installing extensions.

[jabbera]

The issue is vscode does not respect the windows certificate store, it uses the node built in one and it doesn't support NODE_EXTRA_CA_CERTS:

electron/electron#10257 (comment)

If you set: NODE_TLS_REJECT_UNAUTHORIZED=0 it will download, but now I've just invalidated all of node TLS security./

[Rhahkeem]

Yupp @jabbera. Found that to be the case as well. On MacOS I just had to set the ENV NODE_EXTRA_CA_CERTS=/path/to/certs in my Dockerfile. On Windows I had to set NODE_TLS_REJECT_UNAUTHORIZED to 0. 👎

[EricHripko]

Just to clarify: On Windows you need both NODE_EXTRA_CA_CERTS inside the container and NODE_TLS_REJECT_UNAUTHORIZED natively on Windows in order for Remote Container to boot up and install extensions successfully.

[midacts]

I might have done something wrong but I tried your steps with no avail.

On my Windows laptop i set this env variable as a system env variable
NODE_TLS_REJECT_UNAUTHORIZED = 0

PowerShell example:
[Environment]::SetEnvironmentVariable("NODE_TLS_REJECT_UNAUTHORIZED", "0", "Machine")

On the ubuntu container:
apt-get update && apt-get install ca-certificates
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

[sharpninja]

I can confirm that export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificats.crt in my .bashrc file works to fix this problem.

[chrmarti]

@sandy081 The main issue here is that the CLI used to install the extensions listed in the devcontainer.json does not support proxies and custom certificates the same way we do for extensions or the UI. We could look into reusing the implementation we have for the extension host.

@Rhahkeem Which cases start working by setting NODE_EXTRA_CA_CERTS / NODE_TLS_REJECT_UNAUTHORIZED? The UI?

[jabbera]

We have a MITM firewall, not a proxy, and everything works fine if I set NODE_TLS_REJECT_UNAUTHORIZED=0 on my host and copy my certs to the container and set: NODE_EXTRA_CA_CERTS in the container and run update-ca-certificates. (Windows 10 host, Debian Linux image).

I’d be happy if the NODE_EXTRA_CA_CERTS worked on the host instead of having to straight up disable TLS auth.

[chrmarti]

Loading certificates from the OS was broken on Windows (microsoft/vscode#79044). That is fixed in the latest Insiders build.

What remains is the missing support for loading certificates from the OS in the CLI that installs the extensions listed in the devcontainer.json.

[midacts]

I am no longer getting the certificate error i had been getting once I upgraded to vscode 1.37.1

[jasonwilliams]

@chrmarti has there been any change in the priority of this issue?

[calcazar]

I'm getting the following:

Extension host agent listening on 41867

[01:40:44] Extension host agent started.
Installing extensions...
[01:40:44] Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:223:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'

when running the below in a docker container. The below is what VS code is automatically when starting up the development container

/root/.vscode-server/bin/ea3859d4ba2f3e577a159bc91e3074c5d85c0523/server.sh --force-disable-user-env --use-host-proxy --port 0 --extensions-download-dir /root/.vscode-server/extensionsCache --install-extension esbenp.prettier-vscode --start-server

[agucova]

I'm getting the exact same error under a normal connection (no proxy, no anything). I tried setting NODE_TLS_REJECT_UNAUTHORIZED in the host, setting up NODE_EXTRA_CA_CERTS on the Ubuntu container and updating the CA certificates with no avail.

Downloading VS Code Server
Error: unable to get local issuer certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
        at TLSSocket.emit (events.js:223:5)
        at TLSSocket._finishInit (_tls_wrap.js:794:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)

Remote Containers v0.154.1 and VSCode 1.52.1 under Ubuntu Desktop 20.10.

[abid-mujtaba]

Seeing the same in VS Code 1.55.0 behind a corporate proxy:

Error: connect ECONNREFUSED 13.107.42.18:443
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '13.107.42.18',
  port: 443
}

Works via the UI.

[chrmarti]

@abid-mujtaba That is a different issue. Please check if VS Code 1.55.1 fixes it and file a new issue if it doesn't: https://github.com/microsoft/vscode/issues

[abid-mujtaba]

Thanks @chrmarti. Can confirm that updating to 1.55.1 fixed my issue.

[lavaude]

Not sure if this is related, the message received on our side is a tiny bit different:

Start: Downloading VS code server
Error: certificate signature failure
    at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
    ...

Same error whether we connect to WSL2 or a running docker container.
We are behind corporate proxy with authentication, as well as our own extra certificates.

[chrmarti]

@lavaude Could you open a new issue? This looks like a different problem. Thanks.

[lucaspeixotot]

I'm getting the exact same error under a normal connection (no proxy, no anything). I tried setting NODE_TLS_REJECT_UNAUTHORIZED in the host, setting up NODE_EXTRA_CA_CERTS on the Ubuntu container and updating the CA certificates with no avail.

Downloading VS Code Server
Error: unable to get local issuer certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
        at TLSSocket.emit (events.js:223:5)
        at TLSSocket._finishInit (_tls_wrap.js:794:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)

Remote Containers v0.154.1 and VSCode 1.52.1 under Ubuntu Desktop 20.10.

The same error here, someone knows how to fix it? I tried setting the env variables but it didn't work. My error is when I'm using remote-ssh to a remote development, from windows to Linux. My corporation uses the ZScaler.

[EricHripko]

My issue got about Remote - SSH (#5727) got merged into this one. I can see that folks here have found workarounds for container workflows, does anyone have any suggestions for Remote - SSH ones?

[EricHripko]

In terms of Remote - SSH workflow, something must've changed in 1.62.0 version of VS Code. It now appears to correctly follow http.proxy* settings in Remote Settings.

[rijulg]

What finally resolved the issue for me was setting Http: Proxy Support http.proxySupport to on