Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Requests to servers using letsencrypt's new root certificate fail verifiction #134244

Closed
pbstriker38 opened this issue Sep 30, 2021 · 10 comments
Closed
Assignees
Labels
electron Issues and items related to Electron important Issue identified as high-priority insiders-released Patch has been released in VS Code Insiders network Network related issues upstream-issue-fixed The underlying upstream issue has been fixed

Comments

@pbstriker38
Copy link

Does this issue occur when all extensions are disabled?: Yes/No

  • VS Code Version: 1.60.2
  • OS Version: macOS 11.5.2

Steps to Reproduce:

Add a request to a server using a new certificate to the plugin initialization

await axios.get('https://letsencrypt.org').catch(e => console.error(e))
GET https://letsencrypt.org
/Applications/Visual Studio Code.app/Contents/Resources/app/out/bootstrap-fork.js:5
Error: certificate has expired
	at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
	at TLSSocket.emit (events.js:315:20)
	at TLSSocket._finishInit (_tls_wrap.js:932:8)
	at TLSWrap.onhandshakedone (_tls_wrap.js:706:12)
	at TLSWrap.callbackTrampoline (internal/async_hooks.js:131:14)
/Applications/Visual Studio Code.app/Contents/Resources/app/out/bootstrap-fork.js:5
@pbstriker38
Copy link
Author

This might be related
electron/electron#31213

@leon-v
Copy link

leon-v commented Sep 30, 2021

Likely the same issue: #134245

@deepak1556 deepak1556 assigned deepak1556 and unassigned Tyriar Sep 30, 2021
@deepak1556 deepak1556 added electron Issues and items related to Electron network Network related issues upstream-issue-fixed The underlying upstream issue has been fixed labels Sep 30, 2021
@deepak1556 deepak1556 added this to the September 2021 milestone Sep 30, 2021
@AlencarGabriel
Copy link

For those who use GOT this may be a temporary solution, until the VSCode update comes out: sindresorhus/got#1148

@randrade23
Copy link

Same issue here with an extension that I have for private use. The request now fails indicating the certificate is expired, even though the certificate was renewed today and is valid for another 3 months. It started happening this afternoon after DST Root CA X3 expired.

The certificate shows as valid when browsing with Chrome, Firefox, Edge or on a smartphone.

The following error is thrown in the VS Code developer tools menu:

stack trace: Error: certificate has expired at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34) at TLSSocket.emit (events.js:315:20) at TLSSocket.EventEmitter.emit (domain.js:467:12) at TLSSocket._finishInit (_tls_wrap.js:932:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)

@deepak1556 deepak1556 added the important Issue identified as high-priority label Sep 30, 2021
@Nicd
Copy link

Nicd commented Oct 1, 2021

This is caused by electron/electron#31212 in Electron.

As a workaround, you can set the "preferred chain" option on the server side to prefer the ISRG root. This fixed the issue for me and I can confirm my VSCode/Atom extensions work as before after the change. See more details in this comment: electron/electron#31212 (comment)

There are also other workarounds listed in the original issue comments.

@michelkaporin
Copy link
Contributor

michelkaporin commented Oct 1, 2021

@deepak1556 is it planned to backport the fix to the previous versions (before the upcoming September release) to prevent extensions from breaking on older VS Code versions? When is September release due?

@deepak1556
Copy link
Collaborator

deepak1556 commented Oct 1, 2021

The current fix is targeted for the September release which is due sometime next week and nightly insiders. I will see if we can also make a recovery release for the current stable.

@pbstriker38
Copy link
Author

If anyone is using cert-manager on kubernetes, you can update your Issuer manifest to use the preferredChain to fix this issue server side.

https://cert-manager.io/docs/configuration/acme/#use-an-alternative-certificate-chain

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

You then need to reissue your certificates. This can be done with the plugin they provide or just delete the associated secret. You may then need to restart your ingress so that it picks up the new certificate.

@pcj
Copy link

pcj commented Oct 19, 2021

Thanks @pbstriker38 that worked!

@AlencarGabriel
Copy link

This issue reoccurred in version 1.62.1.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
electron Issues and items related to Electron important Issue identified as high-priority insiders-released Patch has been released in VS Code Insiders network Network related issues upstream-issue-fixed The underlying upstream issue has been fixed
Projects
None yet
Development

No branches or pull requests

10 participants