vscode-cosmosdb icon indicating copy to clipboard operation
vscode-cosmosdb copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Certificate Error Cosmos DB in Visual Code

Open normanmartinez opened this issue 6 years ago • 7 comments
trafficstars

<Please be sure to remove any private information before submitting.>

Repro steps: <Enter steps to reproduce issue>

Action: cosmosDB.createDocDBDatabase Error type: DEPTH_ZERO_SELF_SIGNED_CERT Error Message: self signed certificate

Version: 0.9.1 OS: win32

normanmartinez avatar Dec 17 '18 14:12 normanmartinez

Sorry for the late reply. Could you try setting http.proxyStrictSSL to false?

nturinski avatar Oct 15 '19 21:10 nturinski

Hey folks!

I can confirm that changing VSCode proxyStrictSSL setting to False make it work as a workaround.

However, I think there must be another way of working this out built in by the extension. I'm on OSX and I'm unfortunately, I have to run the emulator on a Windows VM with Parallels since after so many years with CosmosDB out, we still don't have xplat emulator.

To make the web data explorer to work, I had to export the certificate as suggested in the docs and made it trusted on OSX Keychain. That would allow us to access the WebUI.

Setting the global VSCode proxyStrictSLL is a pretty big security flaw and to proper fix it we should go one of the following paths:

  1. Make the extension to trust any certificate that is either explicitly set at the extension level settings the thumbprint. That scope the relaxed SSL settings to the extension; or
  2. Allow people to generate their own certificates and add it to the emulator, so it would use their trusted certificates instead of the auto-generated one; or
  3. Make VSCode to selectively allow specific thumbprints at the VSCode global level.

That would avoid the security risk and allow scenarios like mine, where I have an "external" client (VSCode) connecting to a "remote" emulator on the VM.

I believe option 1 is the easiest to tackle, but 2 is the more reliable.

To be honest, in my case, all that would be sorted by having a cross platform emulator (long late feature request made multiple times everywhere, but subject for another issue)...

I hope that help...

galvesribeiro avatar Nov 13 '19 13:11 galvesribeiro

This issue has become stale and is at risk of being closed. The community has 60 days to upvote the issue. If it receives 5 upvotes we will keep it open and take another look. If not, we will close it. To learn more about how we handle issues, please see our documentation.

Happy Coding!

AzCode-Bot avatar Apr 06 '21 18:04 AzCode-Bot

I ran into this today and I'm hesitant to set "http.proxyStrictSSL": false

Because I don't fully understand the security implications of doing so.

Jon

azsdke2e azsdke2e1

jongio avatar May 24 '21 22:05 jongio

:slightly_smiling_face: This feature request received a sufficient number of community upvotes and we moved it to our backlog. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

AzCode-Bot avatar Apr 06 '22 05:04 AzCode-Bot

Is there an update to this? There needs to be a way to connect to the emulator via http or by ignoring the certificate on the other side. In a local development environment, it's unnecessary to enforce https when network is limited to localhost.

klemmchr avatar Dec 03 '22 19:12 klemmchr

I am also affected by this problem. My use case is a dev container that is running my development environment and a CosmosDB emulator.

I attach the database via connection string and I get an error about the self-signed certificate.

szszoke avatar Dec 12 '22 12:12 szszoke