Skip expired certificates from the OS

[cydhhp]

Hi,

according to
https://github.com/microsoft/pylance-release/issues/4443#issuecomment-1572595906

so create a new issue, not duplicate https://github.com/microsoft/vscode/issues/183546#issuecomment-1565902320

plz don't closed again.

Type: Bug

VSCode can't login

Step:
click login > microfoft > edge > login > success,
But always not!

Here is log
2023-05-26 21:57:58.847 [error] Network failure: Error: Network failure
at f.G (/Applications/Visual Studio Code.app/Contents/Resources/app/extensions/microsoft-authentication/dist/extension.js:2:556571)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at f.F (/Applications/Visual Studio Code.app/Contents/Resources/app/extensions/microsoft-authentication/dist/extension.js:2:555729)
at f.p (/Applications/Visual Studio Code.app/Contents/Resources/app/extensions/microsoft-authentication/dist/extension.js:2:549116)
at f.createSession (/Applications/Visual Studio Code.app/Contents/Resources/app/extensions/microsoft-authentication/dist/extension.js:2:548195)
at Object.createSession (/Applications/Visual Studio Code.app/Contents/Resources/app/extensions/microsoft-authentication/dist/extension.js:2:988955)

2023-05-26 22:13:36.139 [error] SyntaxError: Unexpected token '�', "��p[*���PC"... is not valid JSON
at JSON.parse ()
at e.MainThreadSecretState.$getPassword (vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/workbench/workbench.desktop.main.js:1525:48130)
VS Code version: Code 1.78.2 (Universal) (https://github.com/microsoft/vscode/commit/b3e4e68a0bc097f0ae7907b217c1119af9e03435, 2023-05-10T14:44:45.204Z)
OS version: Darwin x64 19.6.0
Modes:
Sandboxed: Yes

Even clean broswer cache, still error.

023-05-29 21:36:30.596 [info] Getting sessions for the following scopes: email offline_access openid profile
2023-05-29 21:36:30.596 [trace] No session found with idtoken scopes... Using fallback scope list of: email offline_access openid profile
2023-05-29 21:36:30.596 [info] Got 0 sessions for scopes: email offline_access openid profile
2023-05-29 21:36:36.037 [info] Logging in for the following scopes: email offline_access openid profile
2023-05-29 21:36:41.136 [info] Exchanging login code for token for scopes: email offline_access openid profile
2023-05-29 21:36:46.381 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired
2023-05-29 21:36:46.381 [error] Error exchanging code for token (for scopes email offline_access openid profile): Error: Network failure
2023-05-29 21:36:46.381 [error] Error creating session for scopes: email offline_access openid profile Error: Error: Network failure
2023-05-29 21:37:21.044 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired
2023-05-29 21:37:21.044 [error] Error exchanging code for token (for scopes email offline_access openid profile): Error: Network failure
2023-05-29 21:37:21.044 [error] Error creating session for scopes: email offline_access openid profile Error: Error: Network failure
2023-05-29 21:37:51.804 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired
2023-05-29 21:37:51.804 [error] Error exchanging code for token (for scopes email offline_access openid profile): Error: Network failure
2023-05-29 21:37:51.804 [error] Error creating session for scopes: email offline_access openid profile Error: Error: Network failure
2023-05-29 21:39:21.684 [info] Getting sessions for the following scopes: email offline_access openid profile
2023-05-29 21:39:21.684 [trace] No session found with idtoken scopes... Using fallback scope list of: email offline_access openid profile
2023-05-29 21:39:21.684 [info] Got 0 sessions for scopes: email offline_access openid profile
2023-05-29 21:39:24.955 [info] Logging in for the following scopes: email offline_access openid profile
2023-05-29 21:39:32.391 [info] Exchanging login code for token for scopes: email offline_access openid profile
2023-05-29 21:40:43.049 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired

I try everything about other solution.

If uninstall reboot install
It always show this, but this is before settings

always
023-05-29 21:36:30.596 [info] Getting sessions for the following scopes: email offline_access openid profile 2023-05-29 21:36:30.596 [trace] No session found with idtoken scopes... Using fallback scope list of: email offline_access openid profile 2023-05-29 21:36:30.596 [info] Got 0 sessions for scopes: email offline_access openid profile 2023-05-29 21:36:36.037 [info] Logging in for the following scopes: email offline_access openid profile 2023-05-29 21:36:41.136 [info] Exchanging login code for token for scopes: email offline_access openid profile 2023-05-29 21:36:46.381 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired 2023-05-29 21:36:46.381 [error] Error exchanging code for token (for scopes email offline_access openid profile): Error: Network failure 2023-05-29 21:36:46.381 [error] Error creating session for scopes: email offline_access openid profile Error: Error: Network failure 2023-05-29 21:37:21.044 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired 2023-05-29 21:37:21.044 [error] Error exchanging code for token (for scopes email offline_access openid profile): Error: Network failure 2023-05-29 21:37:21.044 [error] Error creating session for scopes: email offline_access openid profile Error: Error: Network failure 2023-05-29 21:37:51.804 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired 2023-05-29 21:37:51.804 [error] Error exchanging code for token (for scopes email offline_access openid profile): Error: Network failure 2023-05-29 21:37:51.804 [error] Error creating session for scopes: email offline_access openid profile Error: Error: Network failure 2023-05-29 21:39:21.684 [info] Getting sessions for the following scopes: email offline_access openid profile 2023-05-29 21:39:21.684 [trace] No session found with idtoken scopes... Using fallback scope list of: email offline_access openid profile 2023-05-29 21:39:21.684 [info] Got 0 sessions for scopes: email offline_access openid profile 2023-05-29 21:39:24.955 [info] Logging in for the following scopes: email offline_access openid profile 2023-05-29 21:39:32.391 [info] Exchanging login code for token for scopes: email offline_access openid profile 2023-05-29 21:40:43.049 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expire

reason: certificate has expire
But keychain has no about vscode (deleted before)

Thanks a lot.

[chrmarti]

Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code? Use https://login.microsoftonline.com/organizations/oauth2/v2.0/token as the URL when prompted.

If you cannot install the extension through the Extensions viewlet in VS Code, you can use the Download Extension link on the above linked page and then install the downloaded VSIX with F1 > Extensions: Install VSIX....

[cydhhp]

@chrmarti

Hi

Network Proxy Test: Test Connection
Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://example.com...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: www.example.org (Internet Corporation for Assigned Names and Numbers)

========================================================================
Network Proxy Test: Test Connection (allowing unauthorized)
Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://example.com (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
• Subject: www.example.org (Internet Corporation for Assigned Names and Numbers)

========================================================================
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token...
vscode-proxy-agent: DIRECT
Received error: certificate has expired (CERT_HAS_EXPIRED)
Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: stamp2.login.microsoftonline.com (Microsoft Corporation)

[chrmarti]

The extension fails to log the entire "Certificate chain", is there anything in the Extension Host output channel indicating a problem? (F1 > Output: Show Output Channels... > Extension Host)

[cydhhp]

@chrmarti

Sorry, It's too long, so I Copy Part.

=================================================================

Network Proxy Test: Test Connection

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://example.com...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: www.example.org (Internet Corporation for Assigned Names and Numbers)
  Subject alt: DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
  Validity: Jan 13 00:00:00 2023 GMT - Feb 13 23:59:59 2024 GMT
  Fingerprint: F2:AA:D7:3D:32:68:3B:71:6D:2A:7D:61:B5:1C:6D:57:64:AB:38:99
• Subject: DigiCert TLS RSA SHA256 2020 CA1 (DigiCert Inc)
  Validity: Apr 14 00:00:00 2021 GMT - Apr 13 23:59:59 2031 GMT
  Fingerprint: 1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD
• Subject: DigiCert Global Root CA (DigiCert Inc)
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Self-signed
  Local root certificates:
• Subject: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
  ========================================================================

Network Proxy Test: Test Connection (allowing unauthorized)

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://example.com (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: www.example.org (Internet Corporation for Assigned Names and Numbers)
  Subject alt: DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
  Validity: Jan 13 00:00:00 2023 GMT - Feb 13 23:59:59 2024 GMT
  Fingerprint: F2:AA:D7:3D:32:68:3B:71:6D:2A:7D:61:B5:1C:6D:57:64:AB:38:99
• Subject: DigiCert TLS RSA SHA256 2020 CA1 (DigiCert Inc)
  Validity: Apr 14 00:00:00 2021 GMT - Apr 13 23:59:59 2031 GMT
  Fingerprint: 1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD
• Subject: DigiCert Global Root CA (DigiCert Inc)
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Self-signed
  Local root certificates:
• Subject: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA

========================================================================
Network Proxy Test: https://login.microsoftonline.com/organizations/oauth2/v2.0/token

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token...
vscode-proxy-agent: DIRECT
Received error: certificate has expired (CERT_HAS_EXPIRED)
Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: stamp2.login.microsoftonline.com (Microsoft Corporation)
  Subject alt: DNS:stamp2.login.microsoftonline.com, DNS:login.microsoftonline-int.com, DNS:login.microsoftonline-p.com, DNS:login.microsoftonline.com, DNS:login2.microsoftonline-int.com, DNS:login2.microsoftonline.com, DNS:loginex.microsoftonline-int.com, DNS:loginex.microsoftonline.com, DNS:stamp2.login.microsoftonline-int.com
  Validity: May 19 00:00:00 2023 GMT - May 19 23:59:59 2024 GMT
  Fingerprint: 79:85:AB:04:C1:A5:79:9E:5D:8F:A1:64:03:C4:62:DC:C6:E7:FF:CF
• Subject: DigiCert SHA2 Secure Server CA (DigiCert Inc)
  Validity: Sep 23 00:00:00 2020 GMT - Sep 22 23:59:59 2030 GMT
  Fingerprint: 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C
• Subject: DigiCert Global Root CA (DigiCert Inc)
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Self-signed
  Local root certificates:
• Subject: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA

[chrmarti]

The certificate chain looks fine, it is not clear to me where the CERT_HAS_EXPIRED comes from. Could you also append the output from F1 > Network Proxy Test: Show OS Certificates?

[cydhhp]

@chrmarti

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.78.2 (b3e4e68)
Network Proxy Test 0.0.7
darwin 19.6.0 x64

Certificates loaded from the OS (Keychain Access > Certificates > 'Several Keychains'):

• Subject: CN=com.apple.ubiquity.peer-uuid.B1E91C52-FB0D-4B70-AF14-42B48C19B389 C=TW
  Validity: Jul 28 14:54:55 2012 GMT - Jul 28 14:54:55 2013 GMT (expired)
  Fingerprint: 00:05:0D:19:CC:C6:33:B2:E5:F1:1B:EC:4F:AA:85:F2:DB:22:60:65
  Issuer: CN=com.apple.ubiquity.peer-uuid.B1E91C52-FB0D-4B70-AF14-42B48C19B389 C=TW
  Key usage: 1.3.6.1.5.5.7.3.4
  Not a CA
• Subject: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Application Integration Certification Authority
  Validity: May 26 19:16:09 2010 GMT - Jul 26 19:16:09 2017 GMT (expired)
  Fingerprint: 0F:66:3C:38:B1:DD:9D:17:7C:D6:5B:19:CF:23:14:04:90:16:E5:CE
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: CN=Timestamp Signer LTN O=Apple Inc. C=US
  Validity: Jun 26 21:30:26 2012 GMT - Aug 7 21:30:26 2012 GMT (expired)
  Fingerprint: E2:C6:DB:9F:EC:53:82:27:AC:65:61:47:E6:8B:A2:D2:CD:B4:19:DD
  Issuer: CN=Apple Timestamp Certification Authority OU=Apple Certification Authority O=Apple Inc. C=US
  Key usage: 1.3.6.1.5.5.7.3.8
  Not a CA
• Subject: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
  Validity: Apr 25 21:40:36 2006 GMT - Feb 9 21:40:36 2035 GMT
  Fingerprint: 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: CN=Apple Timestamp Certification Authority OU=Apple Certification Authority O=Apple Inc. C=US
  Validity: Apr 5 12:02:44 2012 GMT - Apr 5 12:02:44 2027 GMT
  Fingerprint: E6:37:BF:7E:6F:45:1B:9B:2A:C2:AF:4C:0B:CA:8B:D6:D0:37:73:DE
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: CN=Timestamp Signer LON O=Apple Inc. C=US
  Validity: Jun 26 20:46:28 2012 GMT - Aug 7 20:46:28 2012 GMT (expired)
  Fingerprint: 08:8F:9B:4A:8E:47:27:8C:54:C0:CC:14:20:56:C6:AF:1B:EF:29:60
  Issuer: CN=Apple Timestamp Certification Authority OU=Apple Certification Authority O=Apple Inc. C=US
  Key usage: 1.3.6.1.5.5.7.3.8
  Not a CA
• Subject: CN=com.apple.idms.appleid.prd.4979432b3578394e7948467962613651642b6d7a6b513d3d
  Validity: Nov 16 09:55:38 2014 GMT - Nov 15 09:55:38 2016 GMT (expired)
  Fingerprint: 0E:51:36:08:89:07:F0:26:93:6C:0B:63:55:EF:75:9E:19:EF:F0:D0
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Application Integration Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: CN=com.apple.idms.appleid.prd.4979432b3578394e7948467962613651642b6d7a6b513d3d
  Validity: Jun 28 08:16:07 2016 GMT - Jul 26 19:16:09 2017 GMT (expired)
  Fingerprint: 15:A1:8A:24:0A:27:F7:62:D5:66:2D:27:BF:82:9D:CF:A7:19:1B:D7
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Application Integration Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: C=TW ST=Taiwan L=Taipei O=First Commercial Bank CO.,LTD OU=IT Dept CN=mbank.firstbank.com.tw
  Subject alt: DNS:mbank.firstbank.com.tw
  Validity: Aug 15 09:20:42 2016 GMT - Sep 15 15:59:59 2019 GMT (expired)
  Fingerprint: B7:5C:48:B4:70:B2:FD:2C:80:06:AD:A1:9A:3D:75:26:3B:92:D9:F4
  Issuer: C=TW O=TAIWAN-CA OU=Secure SSL Sub-CA CN=TWCA Secure SSL Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: C=TW O=TAIWAN-CA OU=Root CA CN=TWCA Global Root CA
  Validity: Oct 28 07:38:31 2014 GMT - Oct 28 15:59:59 2030 GMT
  Fingerprint: FD:54:E4:64:3B:49:70:5A:2A:AA:E5:06:53:C4:F5:6C:2D:F8:08:3D
  Issuer: C=TW O=TAIWAN-CA OU=Root CA CN=TWCA Root Certification Authority
• Subject: CN=com.apple.idms.appleid.prd.4979432b3578394e7948467962613651642b6d7a6b513d3d
  Validity: Dec 9 05:38:49 2016 GMT - Jul 26 19:16:09 2017 GMT (expired)
  Fingerprint: 72:66:4D:A5:41:7C:63:7D:11:4B:5D:95:D2:29:95:76:E4:F7:F8:8A
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Application Integration Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: C=GB ST=Greater Manchester L=Salford O=COMODO CA Limited CN=COMODO RSA Certification Authority
  Validity: Jan 19 00:00:00 2010 GMT - Jan 18 23:59:59 2038 GMT
  Fingerprint: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
  Issuer: C=GB ST=Greater Manchester L=Salford O=COMODO CA Limited CN=COMODO RSA Certification Authority
• Subject: C=SE O=AddTrust AB OU=AddTrust External TTP Network CN=AddTrust External CA Root
  Validity: May 30 10:48:38 2000 GMT - May 30 10:48:38 2020 GMT (expired)
  Fingerprint: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
  Issuer: C=SE O=AddTrust AB OU=AddTrust External TTP Network CN=AddTrust External CA Root
• Subject: C=TW O=TAIWAN-CA OU=Root CA CN=TWCA Global Root CA
  Validity: Jun 27 06:28:33 2012 GMT - Dec 31 15:59:59 2030 GMT
  Fingerprint: 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
  Issuer: C=TW O=TAIWAN-CA OU=Root CA CN=TWCA Global Root CA
• Subject: C=US O=Symantec Corporation OU=Symantec Trust Network CN=Symantec Class 3 Secure Server SHA256 SSL CA
  Subject alt: DirName:/CN=VeriSignMPKI-2-373
  Validity: Apr 9 00:00:00 2013 GMT - Apr 8 23:59:59 2023 GMT (expired)
  Fingerprint: E7:32:73:E5:3A:CF:E8:0F:41:0B:3E:F4:6B:18:02:87:A0:04:40:CD
  Issuer: C=US O=VeriSign, Inc. OU=VeriSign Trust Network OU=(c) 2008 VeriSign, Inc. - For authorized use only CN=VeriSign Universal Root Certification Authority
• Subject: postalCode=07013 O=Comodo Group Inc. street=Suite 100 street=1255 Broad St. ST=NJ L=Clifton C=US CN=Umesh Kumar Gupta emailAddress=umesh@comodo.com
  Subject alt: othername:, email:umesh@comodo.com
  Validity: Sep 11 00:00:00 2014 GMT - Sep 10 23:59:59 2017 GMT (expired)
  Fingerprint: E1:9A:36:0F:57:68:A9:0C:4F:14:4B:22:5B:28:C3:31:1F:18:67:99
  Issuer: C=GB ST=Greater Manchester L=Salford O=COMODO CA Limited CN=COMODO RSA Client Authentication and Secure Email CA
  Key usage: 1.3.6.1.5.5.7.3.4, 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: C=GB ST=Greater Manchester L=Salford O=COMODO CA Limited CN=COMODO RSA Client Authentication and Secure Email CA
  Validity: Jan 10 00:00:00 2013 GMT - Jan 9 23:59:59 2028 GMT
  Fingerprint: 70:5E:80:0A:29:17:46:C0:5A:7A:C6:E7:08:8B:A9:66:BC:99:CE:BB
  Issuer: C=GB ST=Greater Manchester L=Salford O=COMODO CA Limited CN=COMODO RSA Certification Authority
• Subject: UID=A884K66K6Q CN=iPhone Developer: cyd.hhp@msa.hinet.net (2595WHQ67R) OU=5V939S8XV3 O=Yu-Da Chen C=US
  Validity: Sep 19 15:59:43 2018 GMT - Sep 19 15:59:43 2019 GMT (expired)
  Fingerprint: E0:86:A4:65:EE:10:B0:16:52:FE:4C:1E:7D:2C:A8:EE:2F:4B:67:26
  Issuer: C=US O=Apple Inc. OU=Apple Worldwide Developer Relations CN=Apple Worldwide Developer Relations Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.3
  Not a CA
• Subject: C=US O=Apple Inc. OU=Apple Worldwide Developer Relations CN=Apple Worldwide Developer Relations Certification Authority
  Validity: Feb 7 21:48:47 2013 GMT - Feb 7 21:48:47 2023 GMT (expired)
  Fingerprint: FF:67:97:79:3A:3C:D7:98:DC:5B:2A:BE:F5:6F:73:ED:C9:F8:3A:64
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: CN=Developer ID Certification Authority OU=Apple Certification Authority O=Apple Inc. C=US
  Validity: Feb 1 22:12:15 2012 GMT - Feb 1 22:12:15 2027 GMT
  Fingerprint: 3B:16:6C:3B:7D:C4:B7:51:C9:FE:2A:FA:B9:13:56:41:E3:88:E1:86
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: C=US O=DigiCert Inc CN=DigiCert SHA2 Secure Server CA
  Validity: Mar 8 12:00:00 2013 GMT - Mar 8 12:00:00 2023 GMT (expired)
  Fingerprint: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
• Subject: C=TW ST=Taipei L=Neihu O=ChunghwaPost CN=Chunghwa Post ATM
  Validity: Nov 13 06:33:37 2017 GMT - Nov 8 06:33:37 2037 GMT
  Fingerprint: 1E:1B:87:10:CE:50:D4:64:40:50:35:ED:8D:E4:B2:93:22:2A:F0:20
  Issuer: C=TW ST=Taipei L=Neihu O=ChunghwaPost CN=Chunghwa Post ATM
• Subject: CN=localhost
  Subject alt: DNS:localhost
  Validity: Jun 27 01:38:17 2019 GMT - Jun 27 01:38:17 2020 GMT (expired)
  Fingerprint: 09:84:C9:9A:9A:0D:E2:47:17:3A:19:3A:52:4E:8F:D3:CB:C3:2A:1F
  Issuer: CN=localhost
  Key usage: 1.3.6.1.5.5.7.3.1
  Not a CA
• Subject: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Content Certificate 10-6
  Validity: Aug 20 13:20:00 2018 GMT - Aug 18 13:20:00 2025 GMT
  Fingerprint: 90:6C:C1:49:41:57:80:CF:B7:9F:39:E1:CF:44:9F:87:CA:6D:4D:16
  Issuer: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Intermediate CA 10-4
  Not a CA
• Subject: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Intermediate CA 10-4
  Validity: Aug 17 17:37:59 2018 GMT - Aug 4 17:37:59 2068 GMT
  Fingerprint: BF:89:E5:2F:8D:68:13:60:E6:B8:49:41:BD:2F:9B:C0:09:33:09:F6
  Issuer: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Root CA 10-3
• Subject: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Content Certificate 10-5
  Validity: Aug 20 13:18:42 2018 GMT - Aug 18 13:18:42 2025 GMT
  Fingerprint: F0:BD:97:B4:EC:6C:D8:B7:1C:35:63:17:38:25:9C:F9:F2:E5:43:81
  Issuer: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Intermediate CA 10-3
  Not a CA
• Subject: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Intermediate CA 10-3
  Validity: Aug 17 17:37:58 2018 GMT - Aug 4 17:37:58 2068 GMT
  Fingerprint: D1:DF:7F:06:B7:69:BC:CB:3F:44:79:04:1E:C1:F0:6E:9C:D3:CB:1A
  Issuer: C=US ST=California L=San Jose O=Adobe Systems OU=Cloud Technology CN=Adobe Root CA 10-3
• Subject: UID=A884K66K6Q CN=Apple Development: cyd.hhp@msa.hinet.net (2595WHQ67R) OU=5V939S8XV3 O=Yu-Da Chen C=US
  Validity: Nov 6 08:32:35 2020 GMT - Nov 6 08:32:35 2021 GMT (expired)
  Fingerprint: EC:40:B3:6D:D3:3B:23:3F:4F:B6:42:8C:5B:7F:3F:1F:EE:06:CC:ED
  Issuer: C=US O=Apple Inc. OU=Apple Worldwide Developer Relations CN=Apple Worldwide Developer Relations Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.3
  Not a CA
• Subject: CN=Apple Worldwide Developer Relations Certification Authority OU=G3 O=Apple Inc. C=US
  Validity: Feb 19 18:13:47 2020 GMT - Feb 20 00:00:00 2030 GMT
  Fingerprint: 06:EC:06:59:9F:4E:D0:02:7C:C5:89:56:B4:D3:AC:12:55:11:4F:35
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: CN=vincentchen_cht
  Validity: Jan 14 03:09:32 2021 GMT - Jan 4 02:45:34 2022 GMT (expired)
  Fingerprint: B3:0C:90:50:5C:9E:96:08:16:46:72:AD:7C:C3:DD:19:71:88:89:1B
  Issuer: CN=NextbankVpnCertRoot
  Key usage: 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: CN=NextbankVpnCertRoot
  Validity: Jan 4 02:25:34 2021 GMT - Jan 4 02:45:34 2022 GMT (expired)
  Fingerprint: 8E:C5:58:85:E7:FE:A1:D2:6A:45:F2:74:6E:C4:C6:23:C2:23:CB:7B
  Issuer: CN=NextbankVpnCertRoot
  Not a CA
• Subject: C=US O=Cloudflare, Inc. CN=Cloudflare Inc ECC CA-3
  Validity: Jan 27 12:48:08 2020 GMT - Dec 31 23:59:59 2024 GMT
  Fingerprint: B3:DD:76:06:D2:B5:A8:B4:A1:37:71:DB:EC:C9:EE:1C:EC:AF:A3:8A
  Issuer: C=IE O=Baltimore OU=CyberTrust CN=Baltimore CyberTrust Root
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
• Subject: CN=Mac OS X Provisioning Profile Signing O=Apple Inc. C=US
  Validity: Jan 28 00:14:43 2016 GMT - Feb 7 21:48:47 2023 GMT (expired)
  Fingerprint: 04:49:FC:17:90:3E:06:51:45:D4:61:0E:CC:87:0D:D8:E3:EB:C0:B1
  Issuer: C=US O=Apple Inc. OU=Apple Worldwide Developer Relations CN=Apple Worldwide Developer Relations Certification Authority
  Not a CA
• Subject: C=TW O=CTBC Bank Co Ltd CN=CTBCBANK Root CA
  Validity: Jan 13 02:58:38 2016 GMT - Jan 14 02:58:38 2026 GMT
  Fingerprint: 1A:20:58:B0:68:48:3C:9F:A2:38:48:FD:5A:49:25:49:5C:54:7D:51
  Issuer: C=TW O=CTBC Bank Co Ltd CN=CTBCBANK Root CA
• Subject: CN=localhost
  Subject alt: DNS:localhost
  Validity: Jul 15 02:08:53 2021 GMT - Jul 15 02:08:53 2022 GMT (expired)
  Fingerprint: 65:01:9E:6A:1F:FB:03:39:68:BC:D7:16:45:F5:43:BA:E5:9A:2F:80
  Issuer: CN=localhost
  Key usage: 1.3.6.1.5.5.7.3.1
  Not a CA
• Subject: CN=Microsoft.Office.Excel.ProtectedDataServices
  Validity: Jan 23 03:58:17 2022 GMT - Jan 22 03:58:17 2032 GMT
  Fingerprint: CD:6B:08:B0:1F:6E:4C:B6:12:39:A2:11:42:AC:59:C9:B0:86:B8:07
  Issuer: CN=Microsoft.Office.Excel.ProtectedDataServices
  Not a CA
• Subject: CN=localhost
  Subject alt: DNS:localhost
  Validity: Jul 16 06:53:21 2022 GMT - Jul 16 06:53:21 2023 GMT
  Fingerprint: 15:E1:52:FC:46:13:CA:8A:95:D7:05:6F:A7:E9:8E:2C:64:16:28:23
  Issuer: CN=localhost
  Key usage: 1.3.6.1.5.5.7.3.1
  Not a CA
• Subject: CN=com.apple.systemdefault O=System Identity
  Validity: Jul 23 13:37:28 2012 GMT - Jul 18 13:37:28 2032 GMT
  Fingerprint: 68:79:88:F7:CF:89:46:BB:00:A9:88:B1:D2:1C:F6:ED:10:82:44:87
  Issuer: CN=com.apple.systemdefault O=System Identity
  Key usage: 1.2.840.113635.100.4.4
  Not a CA
• Subject: CN=com.apple.kerberos.kdc O=System Identity
  Validity: Jul 23 13:37:29 2012 GMT - Jul 18 13:37:29 2032 GMT
  Fingerprint: 52:83:B7:00:50:73:1F:2A:69:DB:E9:E5:06:68:D5:1F:DD:A6:06:5B
  Issuer: CN=com.apple.kerberos.kdc O=System Identity
  Not a CA
• Subject: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Code Signing Certification Authority
  Validity: Feb 14 21:19:19 2007 GMT - Feb 14 21:19:19 2015 GMT (expired)
  Fingerprint: FA:D8:1F:57:1D:72:D2:BA:B0:BA:B2:17:F9:80:DB:88:03:77:4B:85
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
  Key usage: 1.3.6.1.5.5.7.3.3
• Subject: C=US O=Apple Inc. OU=Apple Software CN=Software Signing
  Validity: Feb 23 22:02:56 2007 GMT - Jan 14 22:02:56 2015 GMT (expired)
  Fingerprint: 22:03:02:9E:85:EF:B1:82:8B:92:8C:3B:65:45:F0:03:CC:0E:51:5C
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Code Signing Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.3
  Not a CA
• Subject: C=US O=Apple Inc. OU=Apple Worldwide Developer Relations CN=Apple Worldwide Developer Relations Certification Authority
  Validity: Feb 14 18:56:35 2008 GMT - Feb 14 18:56:35 2016 GMT (expired)
  Fingerprint: 09:50:B6:CD:3D:2F:37:EA:24:6A:1A:AA:20:DF:AA:DB:D6:FE:1F:75
  Issuer: C=US O=Apple Inc. OU=Apple Certification Authority CN=Apple Root CA
• Subject: C=TW CN=Changingtec ServiSign CA 20170422 O=Changingtec OU=Changingtec
  Subject alt: DNS:localhost
  Validity: Apr 22 13:29:17 2017 GMT - Apr 17 13:29:17 2037 GMT
  Fingerprint: DE:58:F6:99:61:AF:15:63:D7:D2:40:91:2D:72:CB:B7:0C:8D:9C:4D
  Issuer: C=TW CN=Changingtec ServiSign CA 20170422 O=Changingtec OU=Changingtec
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
• Subject: CN=Inemdiate
  Validity: Oct 1 20:52:33 2019 GMT - Sep 30 20:52:33 2020 GMT (expired)
  Fingerprint: D3:F2:6D:94:E3:83:02:19:DA:6D:8C:FE:31:30:0C:12:B9:52:7C:29
  Issuer: CN=RootCA
• Subject: CN=RootCA
  Validity: Oct 1 20:52:00 2019 GMT - Sep 30 20:52:00 2020 GMT (expired)
  Fingerprint: 4A:34:3A:2B:FB:AA:C1:2C:EF:92:FC:57:A1:7F:53:4F:E2:1B:C7:02
  Issuer: CN=RootCA
• Subject: C=TW ST=Taiwan L=Taipei O=NHI OU=ICC CN=NHI.Self.Server.Cert
  Subject alt: DNS:localhost.nhi.gov.tw, DNS:localhost, DNS:127.0.0.1, DNS:iccert.nhi.gov.tw
  Validity: May 10 09:08:52 2019 GMT - May 10 09:08:52 2069 GMT
  Fingerprint: 87:62:0A:EA:90:1E:12:FC:BC:AD:29:1C:67:F3:58:F4:EE:60:06:48
  Issuer: C=TW ST=Taiwan L=Taipei O=NHI OU=ICC CN=NHI.Self.Server.Cert
  Not a CA
• Subject: CN=PA_root
  Validity: Feb 25 08:26:07 2020 GMT - Feb 24 08:26:07 2021 GMT (expired)
  Fingerprint: EA:4E:7B:5C:D6:EB:18:6A:AA:DF:7E:22:6C:DD:6B:C0:5F:23:03:61
  Issuer: CN=PA_root
• Subject: CN=127.0.0.1
  Subject alt: IP Address:127.0.0.1, DNS:localhost
  Validity: Apr 25 02:55:00 2017 GMT - Apr 25 02:55:00 2048 GMT
  Fingerprint: CF:AA:8D:C7:48:90:6D:2E:E6:D5:7B:A5:6D:52:76:78:77:8D:63:6B
  Issuer: CN=127.0.0.1
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
  Not a CA
• Subject: C=TW ST=Taipei L=Taipei O=Top OU=3300 CN=https://localhost
  Subject alt: DNS:*.localhost, DNS:localhost
  Validity: May 18 03:29:35 2017 GMT - May 16 03:29:35 2027 GMT
  Fingerprint: D8:76:39:09:05:4C:58:1A:44:8E:B4:61:D4:7A:8F:3F:19:7D:E8:1B
  Issuer: C=TW ST=Taipei L=Taipei O=Top OU=3300 CN=https://localhost
  Not a CA
• Subject: C=TW CN=BOT ServiSign CA_20190605 O=BOT OU=BOT
  Subject alt: DNS:localhost
  Validity: Feb 25 04:51:14 2022 GMT - Feb 20 04:51:14 2042 GMT
  Fingerprint: A6:21:16:73:B8:9B:CA:FF:2D:D2:40:59:05:FC:F8:1A:B7:D0:FB:9F
  Issuer: C=TW CN=BOT ServiSign CA_20190605 O=BOT OU=BOT
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
• Subject: C=TW O=TWCA OU=TWCA Develope CN=TWCA Certificate Authority
  Validity: Mar 28 06:09:00 2019 GMT - Mar 28 06:09:00 2029 GMT
  Fingerprint: 41:5D:5B:F4:EE:AE:B7:07:5C:2A:FB:C1:68:96:B2:39:23:EC:A0:26
  Issuer: C=TW O=TWCA OU=TWCA Develope CN=TWCA Certificate Authority
  Key usage: 1.3.6.1.5.5.7.3.1
• Subject: O=AO Kaspersky Lab CN=Kaspersky Web Anti-Virus Certification Authority
  Validity: May 30 15:39:20 2011 GMT - May 25 15:39:20 2031 GMT
  Fingerprint: 7D:CD:C1:2B:60:E9:4F:81:84:55:97:67:69:13:F4:B5:20:2A:8E:88
  Issuer: O=AO Kaspersky Lab CN=Kaspersky Web Anti-Virus Certification Authority
  Key usage: 1.3.6.1.5.5.7.3.1

[chrmarti]

There is an expired certificate in your OS root certificates that might explain this (though there are also built-in certificates that should cover this case). Could you try removing this expired certificate from the OS (in the Keychain Access app):

Subject: C=US O=DigiCert Inc CN=DigiCert SHA2 Secure Server CA
Validity: Mar 8 12:00:00 2013 GMT - Mar 8 12:00:00 2023 GMT (expired)
Fingerprint: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4
Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA

Would be great to know if this works. (We could investigate if we can skip expired certificates when loading them from the OS.)

One alternative might be to update the root certificates in your OS, but I haven't tried this myself. (Newer versions of macOS also come with newer certificates.)

[cydhhp]

@chrmarti

I delete it, still eror, I can't login.

Then turn off VSCode, and try again, I success.

Why this issue is relation with "DigiCert" Certification

Thanks

[chrmarti]

This seems to be a detail in how Node.js verifies the certificate chain. It seems to first complete the chain with a root certificate and then check for expiration dates without going back and trying other (potentially unexpired) certificates.

We can skip expired certificates when loading them from the OS to improve this.

[aj0413]

+1 to this issue.

Was running into this as I tried to use the new C# Dev Kit and was greatly confused.

Have quite a few expired certs when I looked; not even sure I can remove them given our hodgepodge infrastructure.

Any update on when this fix will be pushed to insider, if not stable?

[chrmarti]

This is in the latest VS Code Insiders now (part of @vscode/proxy-agent 0.15.0). Would be great if you could give it a try and let us know if it fixes the issue for you. Thanks!

[HEUDavid]

This is in the latest VS Code Insiders now (part of @vscode/proxy-agent 0.15.0). Would be great if you could give it a try and let us know if it fixes the issue for you. Thanks!

---

Great! It works!
I also have this problem on 1.80：
2023-07-10 14:35:32.565 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired

The following is the latest VS Code Insiders:

2023-07-10 14:39:46.659 [info] Logging in for the following scopes: email offline_access openid profile
2023-07-10 14:39:50.472 [info] Exchanging login code for token for scopes: email offline_access openid profile
2023-07-10 14:39:51.082 [info] Exchanging login code for token (for scopes: email offline_access openid profile) succeeded!
2023-07-10 14:39:51.082 [info] Setting token for scopes: email offline_access openid profile
2023-07-10 14:39:51.082 [info] Login successful for scopes: email offline_access openid profile
2023-07-10 14:39:51.082 [info] Token available from cache (for scopes email offline_access openid profile), expires in 4697999 milliseconds

[HEUDavid]

This is in the latest VS Code Insiders now (part of @vscode/proxy-agent 0.15.0). Would be great if you could give it a try and let us know if it fixes the issue for you. Thanks!

Great! It works! I also have this problem on 1.80： 2023-07-10 14:35:32.565 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired

The following is the latest VS Code Insiders:

2023-07-10 14:39:46.659 [info] Logging in for the following scopes: email offline_access openid profile 2023-07-10 14:39:50.472 [info] Exchanging login code for token for scopes: email offline_access openid profile 2023-07-10 14:39:51.082 [info] Exchanging login code for token (for scopes: email offline_access openid profile) succeeded! 2023-07-10 14:39:51.082 [info] Setting token for scopes: email offline_access openid profile 2023-07-10 14:39:51.082 [info] Login successful for scopes: email offline_access openid profile 2023-07-10 14:39:51.082 [info] Token available from cache (for scopes email offline_access openid profile), expires in 4697999 milliseconds

the bug is still there, the latest VS Code Insiders: 2023-07-10 15:07:39.294 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired

[chrmarti]

@HEUDavid Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code? Use https://login.microsoftonline.com/organizations/oauth2/v2.0/token as the URL when being asked.

[HEUDavid]

@HEUDavid Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code? Use https://login.microsoftonline.com/organizations/oauth2/v2.0/token as the URL when being asked.

Ignore the certificate issues and retry, returns 200. But what I'm curious about is that the insider version still can't log in with a Microsoft account to sync the configuration.

Network Proxy Test extension output:
Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.81.0-insider (ad791ef)
Network Proxy Test 0.0.8
darwin 21.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token...
vscode-proxy-agent: DIRECT
Received error: certificate has expired (CERT_HAS_EXPIRED)
Retrying while ignoring certificate issues to collect information on the certificate chain.

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: stamp2.login.microsoftonline.com (Microsoft Corporation)
  Subject alt: DNS:stamp2.login.microsoftonline.com, DNS:login.microsoftonline-int.com, DNS:login.microsoftonline-p.com, DNS:login.microsoftonline.com, DNS:login2.microsoftonline-int.com, DNS:login2.microsoftonline.com, DNS:loginex.microsoftonline-int.com, DNS:loginex.microsoftonline.com, DNS:stamp2.login.microsoftonline-int.com
  Validity: May 27 00:00:00 2023 GMT - May 27 23:59:59 2024 GMT
  Fingerprint: 62:96:21:A8:61:B3:C9:9F:A0:19:E1:7F:50:E3:FC:BF:F5:A1:65:4B
• Subject: DigiCert SHA2 Secure Server CA (DigiCert Inc)
  Validity: Sep 23 00:00:00 2020 GMT - Sep 22 23:59:59 2030 GMT
  Fingerprint: 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C
• Subject: DigiCert Global Root CA (DigiCert Inc)
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Self-signed
  Local root certificates:
• Subject: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA

Microsoft Authentication：
2023-07-10 17:40:25.734 [error] Fetching token failed for scopes (email offline_access openid profile): request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token failed, reason: certificate has expired

@chrmarti

[chrmarti]

@HEUDavid Could you also append the output from F1 > Network Proxy Test: Show OS Certificates? It looks like the fix is not working.

[HEUDavid]

@HEUDavid Could you also append the output from F1 > Network Proxy Test: Show OS Certificates? It looks like the fix is not working.

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.81.0-insider (ad791ef)
Network Proxy Test 0.0.8
darwin 21.6.0 x64

Certificates loaded from the OS (Keychain Access > Certificates > 'Several Keychains'):

• Subject: C=US O=DigiCert Inc CN=DigiCert SHA2 Secure Server CA
  Validity: Mar 8 12:00:00 2013 GMT - Mar 8 12:00:00 2023 GMT (expired)
  Fingerprint: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
• Subject: --DELETED by Daivd--
• Subject: C=US O=DigiCert Inc CN=DigiCert ECC Secure Server CA
  Validity: Mar 8 12:00:00 2013 GMT - Mar 8 12:00:00 2023 GMT (expired)
  Fingerprint: 56:EE:7C:27:06:83:16:2D:83:BA:EA:CC:79:0E:22:47:1A:DA:AB:E8
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
• Subject: CN=com.apple.systemdefault O=System Identity
  Subject alt: DNS:com.apple.systemdefault
  Validity: Jul 20 04:45:17 2020 GMT - Jul 15 04:45:17 2040 GMT
  Fingerprint: 9B:DE:E0:26:C0:4B:32:4D:4C:CB:FA:5D:59:C3:92:B5:DE:B5:D5:F3
  Issuer: CN=com.apple.systemdefault O=System Identity
  Key usage: 1.2.840.113635.100.4.4
  Not a CA
• Subject: CN=com.apple.kerberos.kdc O=System Identity
  Subject alt: DNS:com.apple.kerberos.kdc
  Validity: Jul 20 04:45:18 2020 GMT - Jul 15 04:45:18 2040 GMT
  Fingerprint: 32:0F:97:D6:AB:4F:57:AF:61:90:46:07:B6:5B:6E:0D:0D:17:2C:6F
  Issuer: CN=com.apple.kerberos.kdc O=System Identity
  Key usage: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.2.3.5
  Not a CA
• Subject: --DELETD by David--

[HEUDavid]

I use a http proxy, and solved my problem, login succ...

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.81.0-insider (5150ef0)
Network Proxy Test 0.0.8
darwin 21.6.0 x64

Settings:

• http.proxy:
• http.proxyAuthorization: null
• http.proxyStrictSSL: true
• http.proxySupport: override
• http.systemCertificates: true

Environment variables:

Sending GET request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token...
vscode-proxy-agent: PROXY 127.0.0.1:7890
Received response:

• Status: 200 OK
  Certificate chain:
• Subject: stamp2.login.microsoftonline.com (Microsoft Corporation)
  Subject alt: DNS:stamp2.login.microsoftonline.com, DNS:login.microsoftonline-int.com, DNS:login.microsoftonline-p.com, DNS:login.microsoftonline.com, DNS:login2.microsoftonline-int.com, DNS:login2.microsoftonline.com, DNS:loginex.microsoftonline-int.com, DNS:loginex.microsoftonline.com, DNS:stamp2.login.microsoftonline-int.com
  Validity: May 17 00:00:00 2023 GMT - May 17 23:59:59 2024 GMT
  Fingerprint: 57:81:8C:32:19:AC:FC:5D:16:3E:BD:4B:18:32:60:38:C5:17:98:44
• Subject: DigiCert SHA2 Secure Server CA (DigiCert Inc)
  Validity: Sep 23 00:00:00 2020 GMT - Sep 22 23:59:59 2030 GMT
  Fingerprint: 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C
• Subject: DigiCert Global Root CA (DigiCert Inc)
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Self-signed
  Local root certificates:
• Subject: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA
  Validity: Nov 10 00:00:00 2006 GMT - Nov 10 00:00:00 2031 GMT
  Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root CA

[chrmarti]

Interesting, I would not have expected that to trigger the CERT_HAS_EXPIRED error. 🤔

[chrmarti]

Not sue why this made it work for you.

Closing again. Feedback on whether the fix works for anyone still appreciated. Thanks.

[connor4312]

@chrmarti are there verification steps for this?

[chrmarti]

Steps to verify:

• Set log level to debug.
• Reload window.
• Search for "ProxyResolver#getCaCertificates count" in the Extension Host output channel.
• Verify that there are less filtered certificates than certificates in total. E.g.:

2023-07-28 11:14:05.190 [debug] ProxyResolver#getCaCertificates count 32
2023-07-28 11:14:05.191 [debug] ProxyResolver#getCaCertificates count filtered 26

Thanks!

[aj0413]

sorry, forgot to ping back that this fix did solve my problem in insiders

is this slated for next stable release since we're at the end of July now :)