Requests to servers using letsencrypt's new root certificate fail verifiction

[pbstriker38]

Does this issue occur when all extensions are disabled?: Yes/No

• VS Code Version: 1.60.2
• OS Version: macOS 11.5.2

Steps to Reproduce:

Add a request to a server using a new certificate to the plugin initialization

await axios.get('https://letsencrypt.org').catch(e => console.error(e))

GET https://letsencrypt.org
/Applications/Visual Studio Code.app/Contents/Resources/app/out/bootstrap-fork.js:5
Error: certificate has expired
	at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
	at TLSSocket.emit (events.js:315:20)
	at TLSSocket._finishInit (_tls_wrap.js:932:8)
	at TLSWrap.onhandshakedone (_tls_wrap.js:706:12)
	at TLSWrap.callbackTrampoline (internal/async_hooks.js:131:14)
/Applications/Visual Studio Code.app/Contents/Resources/app/out/bootstrap-fork.js:5

[pbstriker38]

This might be related
electron/electron#31213

[leon-v]

Likely the same issue: #134245

[AlencarGabriel]

For those who use GOT this may be a temporary solution, until the VSCode update comes out: sindresorhus/got#1148

[randrade23]

Same issue here with an extension that I have for private use. The request now fails indicating the certificate is expired, even though the certificate was renewed today and is valid for another 3 months. It started happening this afternoon after DST Root CA X3 expired.

The certificate shows as valid when browsing with Chrome, Firefox, Edge or on a smartphone.

The following error is thrown in the VS Code developer tools menu:

stack trace: Error: certificate has expired at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34) at TLSSocket.emit (events.js:315:20) at TLSSocket.EventEmitter.emit (domain.js:467:12) at TLSSocket._finishInit (_tls_wrap.js:932:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)

[Nicd]

This is caused by electron/electron#31212 in Electron.

As a workaround, you can set the "preferred chain" option on the server side to prefer the ISRG root. This fixed the issue for me and I can confirm my VSCode/Atom extensions work as before after the change. See more details in this comment: electron/electron#31212 (comment)

There are also other workarounds listed in the original issue comments.

[michelkaporin]

@deepak1556 is it planned to backport the fix to the previous versions (before the upcoming September release) to prevent extensions from breaking on older VS Code versions? When is September release due?

[deepak1556]

The current fix is targeted for the September release which is due sometime next week and nightly insiders. I will see if we can also make a recovery release for the current stable.

[pbstriker38]

If anyone is using cert-manager on kubernetes, you can update your Issuer manifest to use the preferredChain to fix this issue server side.

https://cert-manager.io/docs/configuration/acme/#use-an-alternative-certificate-chain

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

You then need to reissue your certificates. This can be done with the plugin they provide or just delete the associated secret. You may then need to restart your ingress so that it picks up the new certificate.

[pcj]

Thanks @pbstriker38 that worked!

[AlencarGabriel]

This issue reoccurred in version 1.62.1.