-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requests to servers using letsencrypt's new root certificate fail verifiction #134244
Comments
This might be related |
Likely the same issue: #134245 |
For those who use GOT this may be a temporary solution, until the VSCode update comes out: sindresorhus/got#1148 |
Same issue here with an extension that I have for private use. The request now fails indicating the certificate is expired, even though the certificate was renewed today and is valid for another 3 months. It started happening this afternoon after DST Root CA X3 expired. The certificate shows as valid when browsing with Chrome, Firefox, Edge or on a smartphone. The following error is thrown in the VS Code developer tools menu:
|
This is caused by electron/electron#31212 in Electron. As a workaround, you can set the "preferred chain" option on the server side to prefer the ISRG root. This fixed the issue for me and I can confirm my VSCode/Atom extensions work as before after the change. See more details in this comment: electron/electron#31212 (comment) There are also other workarounds listed in the original issue comments. |
@deepak1556 is it planned to backport the fix to the previous versions (before the upcoming September release) to prevent extensions from breaking on older VS Code versions? When is September release due? |
The current fix is targeted for the September release which is due sometime next week and nightly insiders. I will see if we can also make a recovery release for the current stable. |
If anyone is using cert-manager on kubernetes, you can update your Issuer manifest to use the https://cert-manager.io/docs/configuration/acme/#use-an-alternative-certificate-chain apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
preferredChain: "ISRG Root X1" You then need to reissue your certificates. This can be done with the plugin they provide or just delete the associated secret. You may then need to restart your ingress so that it picks up the new certificate. |
Thanks @pbstriker38 that worked! |
This issue reoccurred in version 1.62.1. |
Does this issue occur when all extensions are disabled?: Yes/No
Steps to Reproduce:
Add a request to a server using a new certificate to the plugin initialization
The text was updated successfully, but these errors were encountered: