error: "unable to get local issuer certificate" behind zScaler proxy

[thorstenhirsch]

My company is using zScaler proxy, which is intercepting TLS. The root certificate is installed in the system and all browsers and command line tools like curl work fine. Only VS Code extensions like Copilot have a problem. The full error is:

[INFO] [default] [2021-12-15T09:40:18.477Z] Experimentation service initialized
[INFO] [default] [2021-12-15T09:40:22.810Z] Feature for copilotaa: true
[INFO] [default] [2021-12-15T09:40:22.810Z] Feature for copilotincludeprompt: none
[ERROR] [default] [2021-12-15T09:40:23.362Z] GitHub Copilot could not connect to server. Extension activation failed: "unable to get local issuer certificate"

I've seen in microsoft/vscode#45792 (comment) that VS Code is already using the system's certificates, however chrmati suggests in microsoft/vscode#124655 (comment) that contrary to browsers VS Code might not download any missing certificates of the certificate chain. This might be the root cause.

I've already added the complete certificate chain for vscode-auth.github.com and copilot-proxy.githubusercontent.com to the system, but it made no difference. Setting http.proxyStrictSSL=false also has no effect at all. The only thing that has an effect is setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0. But it doesn't fix the problem, it only changes the error message to:

GitHub Copilot could not connect to server. Extension activation failed: "undefined"

[davecheney]

Please try adding api.github.com as well.

[thorstenhirsch]

Done. But it makes no difference, unfortunately.

[davecheney]

I'm sorry to hear that.

[timothyeckert]

Following back up on this, was there any resolution to this issue? This only seems to effect the VSCode version of the plugin.

[suradaBANG]

Add some notices here:

1. The pem file locate at "C:\Users<MicrosoftName>.vscode\extensions\ukoloff.win-ca-3.5.0\node_modules\win-ca\pem", named as "roots.pem" in win-ca@3.5.0 , just copy it into a safe folder ( such as @Stevendeleon mensioned %USERPROFILE%.hidden-dir-name\ca-combined.pem )
2. Env variable setting: absolute path is also worked
3. The git command git config --global http.sslverify=false, change http.sslverify to http.sslVerify <- Note the capital V

Everything works fine for me! Thanks alot

[Flawededge]

I can confirm, win-ca by itself didn't solve any of my problems.
Changing the mode to append got it working (I had to restart vs-code before it worked)

[CaptainLeezee]

Thanks @timothyeckert, this basically worked for me. Here are the exact steps I did:

-Installed win-ca extension
-Change to append mode in win-ca settings
-Go to github in a browser (edge), select show certificate from the security menu to the left of the url
-Hit details, export, export as certificate chain (second option) and save as .pem (manually add extension). Don't need to get certs from your IT department this way.
-Put the pem file somewhere and create a new variable in in System environment variables with name NODE_EXTRA_CA_CERTS and path to certificate file. You can use the absolute path.

Restart VSCode and done.
Working Win11 09 2023

[zthng]

This also worked for my Mac setup, except I used the mac-ca extension instead of the win-ca and installed the PEM file directly into keychain. Worked immediately after restarting vscode.

[stefano-dallona]

This worked for me as well. Thx a lot for sharing the solution

[PatrickKennedy]

I don't know why, but whatever process the extension uses doesn't respect NODE_EXTRA_CA_CERTS

I spent probably more time than I really should have spelunking in the extension.js adding logging and traced it down to the connectTLS function (which makes sense). It's possible to add rejectUnauthorized: false to d in that function which is the connection options, but I found this which both a) demonstrates that the extension is not respecting the CA env variable (which is set) and b) securely resolves the problem: https://medium.com/trabe/monkey-patching-tls-in-node-js-to-support-self-signed-certificates-with-custom-root-cas-25c7396dfd2a

chucking this at the top of extension.js in the github.copilot extension folder should be enough to resolve it:

const tls = require("tls");
const fs = require("fs");

const origCreateSecureContext = tls.createSecureContext;

tls.createSecureContext = options => {
  const context = origCreateSecureContext(options);

  const pem = fs
    .readFileSync(process.env.NODE_EXTRA_CA_CERTS, { encoding: "ascii" })
    .replace(/\r\n/g, "\n");

  console.log(pem);

  const certs = pem.match(/-----BEGIN CERTIFICATE-----\n[\s\S]+?\n-----END CERTIFICATE-----/g);

  if (!certs) {
    throw new Error(`Could not parse certificate ${process.env.NODE_EXTRA_CA_CERTS}`);
  }

  certs.forEach(cert => {
    context.context.addCACert(cert.trim());
  });

  return context;
};

[wethegreenpeople]

Thank you @PatrickKennedy ! This was enough to get it to work behind my company proxy.

I've been following multiple discussions for this/similar issues with copilot and you're the first to actually get it work on my end. So thank you once again!

[PatrickKennedy]

The above solution doesn't work for me anymore. They're using the already library now and maybe it has something to do with that, but it appears that the monkeypatch secureContext is mangling the options passed. I don't know enough about it to solve it, so... I've had to fall back to inserting the rejectUnauthorized: false

I'm able to use find/replace with these options:
d={...l, <- Note the comma
d={...l,rejectUnauthorized:false,

Note, you should be ensuring that there is only one found result, if you get two best to manually locate it via the connectTLS function.

[ukalwa]

This actually worked for me!! Thanks a ton!

[sathish316]

Does this fix work on intellij? if yes, where do i apply this patch in intellij plugin?

[PatrickKennedy]

Well, this is clearly not a problem they want to solve and instead actually appear to be actively going out of their way to make it hard to address. It's still possible to set rejectUnauthorized to false in places, but a) there's no easy find replace to do that, and b) I'm tired of telling them exactly where to go to break the fixes.

[davidlu1001]

@TryTryAgain Thanks it works for me 👍

EDIT: Updated the above, adding | tail -n1 for the path to only grab the latest version and it's been continuing to work for me with upgrades up through the latest.

Suppose it'd be good to add sort -V (--version-sort) before tail to make sure the version in correct order so that can grab the latest one.

[MiqueasAndrade]

That worked for me too. I've just opened my "Git Bash" in Windows, saved the script in a fix-copilot.sh file,

chmod +x fix-copilot.sh ; ./fix-copilot.sh

and peace again...

[sarimarton]

Ref: https://gist.github.com/sarimarton/55779cf95028860ea2126e61a6b377d0

# [2023-05-25] Added Copilot Chat, and VSCode Insiders
# [2023-05-20] Add VSCode Insiders variant
# [2023-02-22] Added Copilot Labs

# Fix Github Co-pilot self-signed cert problem
# See: https://github.com/orgs/community/discussions/8866#discussioncomment-3517831

# Note
#
# To make Github Copilot/Nightly/Labs/Chat work, you might need additional
# steps.
# ----------------------------------------------
# - The bash script is solid. Keep the fixing command run on shell start.
# - Sign out of github from vscode, lower left corner. Ref:
#   https://docs.github.com/en/copilot/troubleshooting-github-copilot/troubleshooting-common-issues-with-github-copilot#error-github-copilot-could-not-connect-to-server-extension-activation-failed
# - Reload window, sign back in, make sure you're using the Chrome window with
#   the right profile (with which you're logged in to the right account), reload
#   window
# - Check VSCode Output pane
# - if EAI_AGAIN error happens, in particular under WSL, this worked:
#   - sudo sh -c "echo nameserver 8.8.8.8 > /etc/resolv.conf"
#   - Ref: https://github.com/community/community/discussions/19499#discussioncomment-5026421
# - As for Labs/Chat, check their webpage, there might be a waiting list, or
#   terms to accept before you get access. The error message in the Output pane
#   should give you a hint about it.
fix_github_copilot() {
    local silent_mode=$1

    apply_patch() {
        local vscode_dir=$1
        local regex_pattern=$2
        local extension_name=$3
        local extensions_path="$HOME/${vscode_dir}/extensions"
        local copilot_dir=$(ls "${extensions_path}" | grep -E "${regex_pattern}" | sort -V | tail -n1) || return
        local extension_filepath="${extensions_path}/${copilot_dir}/dist/extension.js"

        if [[ -f "$extension_filepath" ]]; then
            if [[ $silent_mode != 'silent' ]]; then
                echo "Found $extension_name extension, applying 'rejectUnauthorized' patches to '$extension_filepath'"
            fi
            perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${extension_filepath} || echo "Perl patch failed"
            sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${extension_filepath} || echo "Sed patch failed"
        fi
    }

    perform_fix() {
        if [[ -d "$HOME/$1" ]]; then
            apply_patch "$1" "github.copilot-[0-9].*" "Copilot"
            apply_patch "$1" "github.copilot-nightly-[0-9].*" "Copilot Nightly"
            apply_patch "$1" "github.copilot-labs-[0-9].*" "Copilot Labs"
            apply_patch "$1" "github.copilot-chat-[0-9].*" "Copilot Chat"
        fi
    }

    perform_fix ".vscode"
    perform_fix ".vscode-server"
    perform_fix ".vscode-insiders"
    perform_fix ".vscode-server-insiders"

    unset -f apply_patch
    unset -f perform_fix
}

fix_github_copilot silent

[dev-grant]

I don't know if a recent copilot update broke these scripts, but they're not working for me.

What did work was going into extension.js and changing the two rejectUnauthorized getters to return false:

get rejectUnauthorized(){return false}

[jtele2]

Neither of these worked for me. Is this for the chat?

[Freilichtbuehne]

I fixed it with following speps:

1. Go to extension.js
2. Press F1 and Format Document (optional)
3. Replace rejectUnauthorized: something with rejectUnauthorized: false where possible (check for syntax errors)
4. Relaunch

This takes a minute to figure out which part of the code can be replaced. This is not an ideal solution, but should work.

Thanks to @PatrickKennedy for the hint with rejectUnauthorized.

[hsenag]

Hi, just to note that while we haven't prioritised supporting this properly at the moment, we haven't been deliberately trying to make it hard. Any movement you've seen would be side-effects of other changes.

[elenderg]

Could someone please provide me the modified extension.js file?

[nandakumar12]

Could someone please provide me the modified extension.js file?

https://controlc.com/8fbad595

[danhje]

I'm trying to adapt this to the PyCharm / IntelliJ plugin on Linux. There's no extension.js in the dist folder, but agent.js and service.js exists, and contain rejectUnauthorized: a bunch of places. d={...l isn't anywhere to find, but I've got d={...c and d={...n. How do I determine which should be replaced? I can upload the files somewhere, if that helps.

[Thom-Ernst]

This is a good fix if people don't want to trouble the infra team.

[vadim0x60]

Just installing the win-ca extension solved this for me. Kudos to @Stevendeleon

[TryTryAgain]

Just installing the win-ca extension solved this for me. Kudos to @Stevendeleon

Good to know, looking forward to a MacOS/Linux equivalent.

[mkhoss]

Thanks!

[cal5barton]

Fixed my issue. Thanks!

[cliffche]

It works,appreciate!

[robderickson]

This extension also worked for me after adding "win-ca.inject": "append" to my preferences and restarting VS Code.

[jonod8698]

I asked my infra team to exclude the following from SSL inspection - worked a charm:

• copilot-proxy.githubusercontent.com
• api.github.com (Also used for Self-hosted runners)

[jnvshubham7]

After many weeks... THIS was the solution that worked! Amen and great work whoever figured it out!

how to use this solutoin please give me brief about that?

copilot-proxy.githubusercontent.com
api.github.com (Also used for Self-hosted runners)

[elenderg]

what if my company blocks any url with the word "proxy" (like http://copilot-proxy.githubusercontent.com/)
Is there any way to bypass this restriction? (without changing IT policies, because it is a huge governmental company with 10000+ employees and it takes a lot of time and paper to make a simple change like this).

[oliver-mentel]

How does one implement this solution?
copilot-proxy.githubusercontent.com
api.github.com (Also used for Self-hosted runners)
Any advice, please?
Is this solution also valid for Mac OS?

[keytrap-x86]

If you disable HTTPS inspection for these 2 addresses in your firewall/proxy it should work for any device after this.

[induratized]

https://stackoverflow.com/a/72136715/4796867

[Stevendeleon]

Although this is geared towards VS Code, alternatively if you have access to JetBrains IDEs (as a fallback) their software will pick up untrusted certs from installed plugins and prompt you to accept upon startup:

(my mac solution)

Hope this helps!

[beingminimal]

Hey everyone please join discussion here and vote also here. It's diff topic but requires attention to improve DX.
#15533
Thanks

[Loga-Shanmugam]

For those who still have this issue with your company laptop and still cant solve it, install win-ca extension in vscode and change the win-ca setting to append. It worked for me.

[BI3GS0N]

It doesn't work fo me.. 😏
After changing inject method to 'append', i got this message:

does anyone have solution?

[XisleStudios]

Thank you very much!

[bernardo-suez]

Worked for me too. Thanks!

[YellekPy]

This worked perfectly. Thank you so, so much.

[BenjaminGolba]

Worked for me too. Thank you!

[linhmtran168]

I'm using MacOS so win-ca doesn't work for me. After trying all advices in this thread and other places I can find on the internet to no avail, I decided to create my own extension, which uses the code from win-ca and mac-ca to make all certificates in MacOS keychain available to VS Code extensions. You can install it here and you need to restart VS Code for it to work.
The code is very simple and is available here.

[joSeugHee]

Thank you!

[alenzo-pinc]

The hero we needed!

[wanyukang]

Thank you! still work in 2023!!

[Nosp1]

Great job, do you think a similar plugin for intellij would solve it there?

[pabloazurduy]

thank you so much !!!! it solved the issue for me 🙌

[joshystuart]

For those of you wanting a fix for Jetbrains Intellij / Webstorm, and you didn't get a prompt to accept | reject the certs, I manually added the certs by doing the following:

1. Go to copilot-proxy.githubusercontent.com and api.github.com in a browser
2. Click on the padlock and download the certificates to a local folder
   • For mac use this method https://stackoverflow.com/a/59466184/1222816
   • For windows use this method https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
3. Add the certificates to IntelliJ / Webstorm via: preferences > tools > server certificates
   

[elenderg]

what if my company blocks any url with the word "proxy" (like http://copilot-proxy.githubusercontent.com/)
Is there any way to bypass this restriction? (without changing IT policies, because it is a huge governmental company with 10000+ employees and it takes a lot of time and paper to make a simple change like this).

[joshystuart]

Im sorry @elenderg, Im not sure you can.

[LanDeQuHuXi]

I tried this solution, it does not work for me and weirdly the VSCode monkey patch works for me. But I’m a mainly PyCharm user, and wondering if you could help me with some direction for further inspection.

[joshystuart]

@LanDeQuHuXi this solution stopped working for me recently too. See #20091

It's now blocking the self signed cert Request Error: self signed certificate in certificate chain :(

[mrksph]

Hi, I just made the effort of login in from my working pc to thank you, after adding those certs now it's working again! <3

[dan-sweden]

Win-ca worked for the windows VSC instance. but has anyone found out how to solve it when using WSL(ubuntu) in VSC?

[sarimarton]

Yes. @TryTryAgain 's patch works, you just need to change the first line from

_VSCODEDIR="$HOME/.vscode/extensions"
to
_VSCODEDIR="$HOME/.vscode-server/extensions"

in your guest .bashrc

[TryTryAgain]

And need to run it again whenever it stops working because of an update to the extension :(

[zh3ngyuan]

For Mac users, please try https://marketplace.visualstudio.com/items?itemName=linhmtran168.mac-ca-vscode

After installing this extension, GitHub copilot works like a charm in my vscode!

[AkshayPathakMLF]

Thanks a bunch! This worked great!

[micaelparadox]

tell me a version of it for intellj ide

[spinupol]

this worked like a charm

[xiaoxin01]

Thanks a lot! This worked for me on MacOS + vs code.

[micaelparadox]

Is it working for intelij ides?

[siddharthgoel88]

https://sidd.io/2023/01/github-copilot-self-signed-cert-issue/

[wanyukang]

https://sidd.io/2023/01/github-copilot-self-signed-cert-issue/

plugin version 1.2.4.2459, I try to follow your trick and it doesn't work :(

[rameezvora]

I tried with VSCODE and it works like a charm.

…

On Thu, Oct 13, 2022 at 10:06 AM Micael ***@***.***> wrote: Is it working for intelij ides? — Reply to this email directly, view it on GitHub <#8866 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJIPNVA4QU2AYOZ7C2EGMRTWDA6TDANCNFSM5KDF2RCA> . You are receiving this because you commented.Message ID: ***@***.***>

[JohanStolk]

jetbrains rider copilot latest, still not working:

Sign in failed. Reason: Request signInInitiate failed with message: No instance of has been registered. Context created at: at new (C:\snapshot\copilot\dist\agent.js) at C:\snapshot\copilot\dist\agent.js at C:\snapshot\copilot\dist\agent.js at C:\snapshot\copilot\dist\agent.js at C:\snapshot\copilot\dist\agent.js at Object. (C:\snapshot\copilot\dist\agent.js) at Module._compile (pkg/prelude/bootstrap.js:1930:22) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10) at Module.load (node:internal/modules/cjs/loader:981:32) at Function.Module._load (node:internal/modules/cjs/loader:822:12) , request id: 4, error code: -32603

[danielbisar]

This issue is huge. You cannot use Github Copilot behind a zscaler without strange modifications.

I had the issue under Windows and Linux in VScode, JetBrains and nvim.

1. vscode -> the monkey patch version of TryTryAgain above works for Linux currently
2. JetBrains -> there seems to be no way to make it work; but it is the main IDE I am working with.

Proposed solution: Allow importation of zscaler certifcates with copilot no matter in which environment and mark is as trusted (like you would do in a browser)

[dougreesIG]

I agree, this is a bit of a nightmare right now and is holding back our adoption of copilot.

[esben2000]

I had the problem in Visual Studio. Setting "Accept non-trusted certificates automatically" to True, solved the problem.

[SangLeeGitHub]

If you're familiar with Docker, there's a solution. There is a docker image of the famous Squid proxy that we are familiar with. https://hub.docker.com/r/ubuntu/squid
If you already have Docker installed on your computer, run the command below in the DOS window. (as of April 2023)
docker run -d --name squid-container -e TZ=UTC -p 3128:3128 ubuntu/squid:5.2-22.04_beta

And go to Jetbrains IDE such as IntelliJ, WebStorm, Pycharm, etc. and go to settings. (For the latest version, use the top right gear symbol)
Go to the plugins. Press the gear symbol at the top of the plugins window. Go to HTTP Proxy settings. The host is localhost, and the port is 3128 in manual proxy settings.

It works well in my environment (Windows 10, Under Zscaler 4.0.0.X, WebStorm 2023.1 Build #WS-231.8109.174, built on March 28, 2023). Enjoy.

[Codename-x]

This solution work like a charm!
Thank you! You are fantastic!

[hoshang8282]

it works for me too for vs-code on Ubuntu. In vs-code but in settings -> Uncheck proxy strickt ssl and in Proxy: http://localhost:3128

[ShreyasJejurkar]

this works for some time, but fails after some time with error message saying cannot create tunnel.

[0nk3]

With me, it was because of JamF
I added the following to my hosts(/etc/hosts) and everything starterd working normaly

20.87.225.211 api.github.com
20.81.6.94 copilot-proxy.githubusercontent.com
146.112.207.45 vscode-auth.github.com

[FarisAhmed]

I solved the problem as follows in this environment:

• Visual Studio Enterprise 2022
• Windows 10
• Company computer in home office :-)
• Zscaler installed by company IT on my computer
• Zscaler tunnel to my corporate network is enabled

Solution

• Browse (in my case chrome) to https://copilot-proxy.githubusercontent.com/v1/engines/copilot-codex as shown below
  

• Export the Zscaler Root CA certificate using the Export button to C:\Data\CoPilot\CA\Zscaler Root CA.pem

• Create environment variable NODE_EXTRA_CA_CERTS and set its value to the pem file
  
  Close the environment window

• Restart Visual studio and CoPilot suggestions appeared as expected
  

[tobysainsbury]

This worked for me, thanks!

[withoutcat]

When using VDI, I encountered a self-signed certificate issue (I find VDI environments similar to internal corporate VPNs). My development environment is Windows 11 (VDI) with IntelliJ IDEA 2024. I resolved it by following these steps:

1. Open github.com.
2. Click on the lock🔒 icon to the left of the browser address bar on github.com.
3. Verify that the connection is secure.
4. To the left of the "Close" button, click on "Show Certificate."
5. Go to the "Details" tab.
6. Click the "Export" button.
7. Open IntelliJ IDEA.
8. Navigate to "Settings."
9. Under "Tools," select "Server Certificate."
10. Click "Add."
11. Choose the certificate you exported earlier.
12. Click "OK."
13. Perform the same steps for copilot-proxy.githubusercontent.com.

Now your GitHub Copilot should work.