theia icon indicating copy to clipboard operation
theia copied to clipboard

Published 20 hours ago verified publisher icon eclipse-theia

Error fetching extensions. self signed certificate in certificate chain

Open mydoghasfleas opened this issue 11 months ago • 5 comments

Bug Description:

I installed Theia on Windows 10 on a computer behind a corporate firewall that uses its own CA Root Certificates.

When searching for extensions in Theia, I get the following error:

 Error fetching extensions. self signed certificate in certificate chain

Steps to Reproduce:

  1. Be me.
  2. Install Theia on my corporate laptop
  3. Try search for extensions in Theia

Additional Information

  • Operating System: Windows 10
  • Theia Version: 1.46.100
  • VS Code API Version: 1.85.1

image

My settings are as per the default. I also have VS Code installed and that works out of the box.

image

mydoghasfleas avatar Mar 01 '24 11:03 mydoghasfleas

I am able to get past this problem if I switch off the "Http: Proxy Strict SSL" setting.

But is this not a rather insecure setting?

Also, why does selecting system certificates not work?

mydoghasfleas avatar Mar 04 '24 12:03 mydoghasfleas

This sounds interesting.

I started investigating this by monitoring what happens when I start a clean instance of TheiaIDE.

When Theia starts, it does a fetch on
http://schemastore.org/api/json/catalog.json (we should make that https right away),
which will be 307ed (moved temporarily) to
https://schemastore.org/api/json/catalog.json.

It will cause additional fetches on https://open-vsx.org when looking for extensions.

Of course, I do not know what software you are running on your Windows machine, what software is running on your corporate network, or what your corporate network is doing :)

However, I have experienced several cases where locally installed anti-virus software has been doing SSL inspection by basically acting as MITM while injecting certificates claiming to be valid for the requested destination.

Looking at the certificate chain of all connection attempts made by TheiaIDE might shed some light on this issue.

xai avatar Mar 19 '24 00:03 xai

I have a similar issue (let me know if you would like to have a separate issue here) running Theia on Windows 10 in a corporate network. Searching for extensions is not possible and the issue is: image Error fetching extensions. unable to get local issuer certificate

Since working for some time in this setting I know that in eclipse for example I was able to get around those certificate issues by adding

-Djavax.net.ssl.trustStore=NUL
-Djavax.net.ssl.trustStoreType=Windows-ROOT

to eclipse.ini file. So though there is some kind of software in between - passing it to the OS must be possible somehow, but Theia currently does not get the certificates from the OS correctly.

edit: Turning off SSL verification (Http: Proxy Strict SSL?) makes the search succeed. But as the OP mentioned: this is imposes security issues.

ToBoMi avatar Apr 03 '24 14:04 ToBoMi

From the commandline Theia prints:

[...]
2024-04-03T14:41:52.042Z root ERROR Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1538:34)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:952:8)
    at ssl.onhandshakedone (node:_tls_wrap:733:12)
[...]

ToBoMi avatar Apr 03 '24 14:04 ToBoMi

I have the same problem, I am behind a ZScaler, inspecting all HTTPS traffic with an own Root CA. This is perfectly installed in the local Wndows certificate store. VS Code, Node, Eclipse for example works perfectly, Eclipse Theia is not using System Certificates on Windows. The setting is turned on under HTTP in Theia, but it is not used.

efc-mw avatar Aug 13 '24 15:08 efc-mw