microsoft
Github Copilot Chat has sporadic issues communicating with the server | Electron Issue
Type: Bug
Summary:
This is related to issue #5650. I have been getting the Error Code: net::ERR_CERT_COMMON_NAME_INVALID issue sporadically for weeks and weeks now and have been frustrated beyond belief trying to sort it out.
I've been toggling different settings and going down rabbit holes to no avail. Today I noticed the different "fetchers" in the diagnostic output and their respective debug enable/disable advanced settings. I believe the issue lies in the ElectronFetch functionality. The issue only occurs when using that - and is sporadic. I will keep my eyes open over the next few days to see if it happens again and report back.
- Copilot Chat Extension Version: 0.27.2 (prod)
- VS Code Version: vscode/1.100.2
- OS Version: Windows 11 - latest
- Feature (e.g. agent/edit/ask mode): all/any
- Selected model (e.g. GPT 4.1, Claude 3.7 Sonnet): all/any
- Logs:
Output From ** Github Copilot Chat : Collect Diagnostics **
GitHub Copilot Chat
- Extension Version: 0.27.2 (prod)
- VS Code: vscode/1.100.2
- OS: Windows
Network
User Settings:
"http.proxyStrictSSL": false,
"github.copilot.advanced.debug.useElectronFetcher": false,
"github.copilot.advanced.debug.useNodeFetcher": true,
"github.copilot.advanced.debug.useNodeFetchFetcher": true
Connecting to https://api.github.com:
- DNS ipv4 Lookup: 140.82.114.6 (14 ms)
- DNS ipv6 Lookup: Error (14 ms): getaddrinfo ENOTFOUND api.github.com
- Proxy URL: None (0 ms)
- Electron fetch: HTTP 200 (24 ms)
- Node.js https (configured): HTTP 200 (87 ms)
- Node.js fetch: HTTP 200 (91 ms)
- Helix fetch: HTTP 200 (104 ms)
Connecting to https://api.individual.githubcopilot.com/_ping:
- DNS ipv4 Lookup: 140.82.114.22 (13 ms)
- DNS ipv6 Lookup: Error (14 ms): getaddrinfo ENOTFOUND api.individual.githubcopilot.com
- Proxy URL: None (1 ms)
- Electron fetch: Error (46 ms): Error: net::ERR_CERT_COMMON_NAME_INVALID
at SimpleURLLoaderWrapper.
(node:electron/js2c/utility_init:2:10511) at SimpleURLLoaderWrapper.emit (node:events:524:28) - Node.js https (configured): HTTP 200 (115 ms)
- Node.js fetch: HTTP 200 (80 ms)
- Helix fetch: HTTP 200 (79 ms)
Documentation
In corporate networks: Troubleshooting firewall settings for GitHub Copilot.
Steps to Reproduce:
- Not reliably reproducable, but occurs when sending any interaction to copilot through the extension.
Just wanted to drop an update here. I have not had a single problem with this since updating my settings as mentioned above.
I frequently get this issue, however I can't reasonably work out why. I might be hitting the same error from a different root cause, but I run into:
Sorry, your request failed. Please try again. Request id: 48a9bdf8-8c05-45ad-901c-05e1c6fd1ee9
Reason: Please check your firewall rules and network connection then try again. Error Code: net::ERR_CERT_COMMON_NAME_INVALID.
When using the agent, chat window, or inline chats (not code completions though, they always work). Refreshing DNS cache doesn't do anything, however any request to https://api.enterprise.githubcopilot.com/* results in an incorrect certificate. This isn't a workplace block, because if I go to that URL in the browser I get the same certificate error. The certificate is a valid and publicly issued cert for github.com, and if I bypass the certificate warning, it redirects back to github.com. For whatever reason, github.com's certificate is being used on the api.enterprise.githubcopilot.com domain.
The weird thing is that this doesn't always happen. It probably happens 2-3 times a week and I couldn't reproduce it if I tried (when it does occur, the issue doesn't fix itself until about 30 minutes later). I've searched and seen nothing like this reported, and GitHub status always seems to be up. My only guess is that GitHub is sharing some IP and somewhere down the line my DNS doesn't respect the TTL in time (although that's such a stretch since I'm out of ideas).
Sorry missed this thread, if you are still seeing this issue with electron fetcher can you restart the application with --log-net-log=<some-absolute-path>/netlog.json, once the failure happens quit the application and send the log file to [email protected]
You can inspect the logs in https://netlog-viewer.appspot.com/#import specifically the certificate contents , the error would from https://source.chromium.org/chromium/chromium/src/+/main:net/cert/cert_verify_proc.cc;l=496-499 when hostname is not present in subject alt name
Just got it again. From Firefox:
https://api.enterprise.githubcopilot.com/
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain:
-----BEGIN CERTIFICATE-----
MIIEoTCCBEigAwIBAgIRAKtmhrVie+gFloITMBKGSfUwCgYIKoZIzj0EAwIwgY8x
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMu
U2VjdGlnbyBFQ0MgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAe
Fw0yNTAyMDUwMDAwMDBaFw0yNjAyMDUyMzU5NTlaMBUxEzARBgNVBAMTCmdpdGh1
Yi5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQgNFxG/yzL+CSarvC7L3ep
H5chNnG6wiYYxR5D/Z1J4MxGnIX8KbT5fCgLoyzHXL9v50bdBIq6y4AtN4gN7gbW
o4IC/DCCAvgwHwYDVR0jBBgwFoAU9oUKOxGG4QR9DqoLLNLuzGR7e64wHQYDVR0O
BBYEFFPIf96emE7HTda83quVPjA9PdHIMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBA
MDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5j
b20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEEeDB2ME8GCCsGAQUFBzAChkNo
dHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29FQ0NEb21haW5WYWxpZGF0aW9u
U2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0
aWdvLmNvbTCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUAlpdkv1VYl633Q4do
NwhCd+nwOtX2pPM2bkakPw/KqcYAAAGU02uUSwAABAMARjBEAiA7i6o+LpQjt6Ae
EjltHhs/TiECnHd0xTeer/3vD1xgsAIgYlGwRot+SqEBCs//frx/YHTPwox9QLdy
7GjTLWHfcMAAdwAZhtTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZTT
a5PtAAAEAwBIMEYCIQDlrInx7J+3MfqgxB2+Fvq3dMlk1qj4chOw/+HkYVfG0AIh
AMT+JKAQfUuIdBGxfryrGrwsOD3pRs1tyAyykdPGRgsTAHYAyzj3FYl8hKFEX1vB
3fvJbvKaWc1HCmkFhbDLFMMUWOcAAAGU02uUJQAABAMARzBFAiEA1GKW92agDFNJ
IYrMH3gaJdXsdIVpUcZOfxH1FksbuLECIFJCfslINhc53Q0TIMJHdcFOW2tgG4tB
A1dL881tXbMnMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29t
MAoGCCqGSM49BAMCA0cAMEQCIHGMp27BBBJ1356lCe2WYyzYIp/fAONQM3AkeE/f
ym0sAiBtVfN3YgIZ+neHEfwcRhhz4uDpc8F+tKmtceWJSicMkA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDqDCCAy6gAwIBAgIRAPNkTmtuAFAjfglGvXvh9R0wCgYIKoZIzj0EAwMwgYgx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz
ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD
EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEw
MjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoT
D1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBFQ0MgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABHkYk8qfbZ5sVwAjBTcLXw9YWsTef1Wj6R7W2SUKiKAgSh16TwUwimNJE4xk
IQeV/To14UrOkPAY9z2vaKb71EijggFuMIIBajAfBgNVHSMEGDAWgBQ64QmG1M8Z
wpZ2dEl23OA1xmNjmjAdBgNVHQ4EFgQU9oUKOxGG4QR9DqoLLNLuzGR7e64wDgYD
VR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwUAYD
VR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVz
dEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/
BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVD
Q0FkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1
c3QuY29tMAoGCCqGSM49BAMDA2gAMGUCMEvnx3FcsVwJbZpCYF9z6fDWJtS1UVRs
cS0chWBNKPFNpvDKdrdKRe+oAkr2jU+ubgIxAODheSr2XhcA7oz9HmedGdMhlrd9
4ToKFbZl+/OnFFzqnvOhcjHvClECEQcKmc8fmA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
-----END CERTIFICATE-----
Pastebin of netlog.json, can't see anything related to the failing requests on that domain though. When I open a new window, I don't get the certificate warning (just "Language model unavailable"). Unsure if there's another domain failing that I'm missing, or if I just need to always use netlog until I get lucky.
If I do it in curl (fails unless I use insecure for the same reasons):
PS C:\Users\neero> curl https://api.enterprise.githubcopilot.com/ --insecure -v
* Host api.enterprise.githubcopilot.com:443 was resolved.
* IPv6: (none)
* IPv4: 4.237.22.38
* Trying 4.237.22.38:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to api.enterprise.githubcopilot.com (4.237.22.38) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: api.enterprise.githubcopilot.com
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 301 Moved Permanently
< Content-Length: 0
< Location: https://github.com/
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
<
* Connection #0 to host api.enterprise.githubcopilot.com left intact
Edit: Just realised, these logs are just with the default settings of VSC / Copilot. Haven't messed around with the fetcher settings
The issue is not at all related to firewalls or users—it's a server deployment problem where one IP responds correctly, but others do not. The commands I'm providing were executed consecutively from different geographical locations and source IPs to rule out local connection issues. If I run the same command again while forcing it to use a specific IP, it fails. And you can verify that each of the IPs to which the domain resolves (in my case, api.individual.githubcopilot.com) responds correctly or not. Perhaps it's an issue with a load balancer or a reverse proxy—I'm not sure—but it doesn't seem at all like a problem with GitHub Copilot users' connections. Please fix it; it's very recurring and frustrating to be paying for a service and encountering such easily detectable and fixable failures.
(.venv) PS <REDACTED>> curl -v "https://api.individual.githubcopilot.com/_ping"
* Host api.individual.githubcopilot.com:443 was resolved.
* IPv6: (none)
* IPv4: 140.82.121.3
* Trying 140.82.121.3:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* closing connection #0
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
(.venv) PS <REDACTED>> curl -v "https://api.individual.githubcopilot.com/_ping"
* Host api.individual.githubcopilot.com:443 was resolved.
* IPv6: (none)
* IPv4: 140.82.113.21
* Trying 140.82.113.21:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to api.individual.githubcopilot.com (140.82.113.21) port 443
* using HTTP/1.x
> GET /_ping HTTP/1.1
> Host: api.individual.githubcopilot.com
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Sat, 04 Oct 2025 07:19:59 GMT
< Content-Length: 2
< Content-Type: text/plain; charset=utf-8
< x-github-backend: Kubernetes
< X-GitHub-Request-Id: C079:32B73D:14E1CA:200649:68E0CA9F
<
OK* Connection #0 to host api.individual.githubcopilot.com left intact
(.venv) PS <REDACTED>> curl -v --resolve "api.individual.githubcopilot.com:443:140.82.121.3" "https://api.individual.githubcopilot.com/_ping"
* Added api.individual.githubcopilot.com:443:140.82.121.3 to DNS cache
* Hostname api.individual.githubcopilot.com was found in DNS cache
* Trying 140.82.121.3:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* closing connection #0
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Thanks for narrowing down the issue, however I see a comment mentioning that disabling Electron fetcher resolved the issue. Do others facing the issue also see it addressed when running with the following setting,
"github.copilot.advanced.debug.useElectronFetcher": false,
"github.copilot.advanced.debug.useNodeFetcher": false,
"github.copilot.advanced.debug.useNodeFetchFetcher": true
Thanks for narrowing down the issue, however I see a comment mentioning that disabling Electron fetcher resolved the issue. Do others facing the issue also see it addressed when running with the following setting,
"github.copilot.advanced.debug.useElectronFetcher": false, "github.copilot.advanced.debug.useNodeFetcher": false, "github.copilot.advanced.debug.useNodeFetchFetcher": true
I don’t know what the implementation details look like, but if these fetchers are running in different sub processes, it’s possible that they’re getting different DNS results when running queries, then it is possible that that @socketz suggestion is exactly what’s going on. Just food for thought.
I don’t know what the implementation details look like, but if these fetchers are running in different sub processes, it’s possible that they’re getting different DNS results when running queries
No they don't run in different process, but have different client implementations (Node.js vs Chromium).
different client implementations
Why would a different networking implementation change the fact of api.individual.githubcopilot.com (/api.enterprise...) pointing to a server that has the wrong TLS certificate?
Hey all. I'm from the edge team at GitHub. Taking a look into what's going on here.
Trying 140.82.121.3:443... Trying 4.237.22.38:443...
The problem appears to be that DNS is resolving to regional IPs that terminate public github.com traffic, instead of the IPs for the load balancer that githubcopilot.com is behind.
DNS queries for api.*.githubcopilot.com should resolve to one of these IPs, which are the A records related to CNAME glb-db52c2cf8be544.github.com.
- 140.82.112.21
- 140.82.112.22
- 140.82.113.21
- 140.82.113.22
- 140.82.114.21
- 140.82.114.22
Why would a different networking implementation change the fact of api.individual.githubcopilot.com (/api.enterprise...) pointing to a server that has the wrong TLS certificate?
The load balancers behind IPs like 140.82.121.3 and 4.237.22.38 aren't configured to handle githubcopilot.com traffic since they're not supposed to.
The root issue would be why DNS is resolving to the wrong address. It appears some DNS resolvers may be returning a regional (cached?) IP for github.com instead of the correct IP for glb-db52c2cf8be544.github.com (which api.*.githubcopilot.com should CNAME to). While I'm not certain why this would occur, it would explain the issues.
Troubleshooting
I've tested on both Linux and Windows machines across EU, US, and Australia regions, and I'm unable to reproduce the issue. However, it's clear that some DNS clients are receiving incorrect values when querying api.*.githubcopilot.com.
The troubleshooting done here already is very thorough, so thank you for that! As a next step, could someone experiencing this issue capture:
- Which nameservers are being used when the incorrect value is returned
- Which DNS resolver those queries went through
This would help us identify where something may be misconfigured.
The troubleshooting done here already is very thorough, so thank you for that! As a next step, could someone experiencing this issue capture:
Which nameservers are being used when the incorrect value is returned Which DNS resolver those queries went through
If users want to capture this information from VSCode, you can repro the failure with netlog enabled https://github.com/microsoft/vscode-copilot-release/issues/10262#issuecomment-3155250644 this will capture the relevant information.
@tcbyrd Note that https://github.com/microsoft/vscode/issues/265035 has a few examples of the correct IPs returning the wrong certificate.
Actually the error often only shows on one of several requests run immediately after each other in our diagnostics command, so it's possible that all but that one request get a correct IP address. The diagnostics command run the requests using different http implementations, but I can't see a pattern implicating one of them (Electron errors show more often in reports because that's the default we use).
I'm located in the EU region, specifically Spain, but the problem seems to occur randomly across all locations. It results in resolving to an IP that isn't the intended one for this domain—could this be some kind of fallback rule?
From what I've observed, the load balancer responds dynamically with different IPs, making it very difficult to determine all the IPs that should legitimately respond for that domain. My hypothesis is that when an IP should not be in the active pool for any reason (maintenance, failure, etc.), the fallback mechanism triggers and redirects traffic to a generic IP that doesn't have the proper githubcopilot.com certificates. This could mean that if you are in a specific region and receive an IP that is saturated with traffic from your location, it triggers this fallback process. This process then provides an incorrect IP, eventually leading to a redirect to GitHub's main website as a backup response.
Correct me if I'm wrong, but the load balancers—in this case, what appears to be a GSLB—are not functioning as intended, which seems to be causing these errors depending on the region and time of day.
The "Client IP Preservation" system works correctly (which is part of why the problem is hard to reproduce). You can test this by creating an infinite loop with dig or nslookup from the same DNS server and observing how the TTL (Time to Live) in the response decreases while the IP remains the same. When the TTL expires, the resolver will fetch a new record from the GSLB, which may return the same IP or a different one.
I believe this assumption is accurate—the GSLB/GLB is failing at some point in the load balancing pool. It might be a very subtle error lasting only a few seconds that causes these random issues, as also mentioned by @ascott18 in this comment: https://github.com/microsoft/vscode/issues/265035#issuecomment-3358066821
You can check the different IPs it resolves to from various regions using any of these services: https://dnsmap.io/#A/api.individual.githubcopilot.com https://dnschecker.org/#A/api.individual.githubcopilot.com https://www.whatsmydns.net/#A/api.individual.githubcopilot.com https://www.gdnspc.com/#A&api.individual.githubcopilot.com https://www.nslookup.io/domains/api.individual.githubcopilot.com/dns-propagation/a/
We think it's an issue in the DNS (without the loadbalancers involved).
To narrow this down further, could those seeing this run the following and post the output here:
nslookup -type=NS githubcopilot.com
I'm located in Germany
nslookup -type=NS githubcopilot.com
Server: rpi4b.home
Address: 192.168.3.55
Nicht autorisierende Antwort:
githubcopilot.com nameserver = dns4.p01.nsone.net
githubcopilot.com nameserver = dns1.p01.nsone.net
githubcopilot.com nameserver = dns3.p01.nsone.net
githubcopilot.com nameserver = dns2.p01.nsone.net
From Spain:
socketz@raspi:~ $ nslookup -type=NS githubcopilot.com
Server: 192.168.1.192
Address: 192.168.1.192#53
Non-authoritative answer:
githubcopilot.com nameserver = ns-828.awsdns-39.net.
githubcopilot.com nameserver = ns-1183.awsdns-19.org.
githubcopilot.com nameserver = ns-1727.awsdns-23.co.uk.
githubcopilot.com nameserver = ns-271.awsdns-33.com.
Using router:
socketz@raspi:~ $ nslookup -type=NS githubcopilot.com 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
githubcopilot.com nameserver = ns-271.awsdns-33.com.
githubcopilot.com nameserver = ns-828.awsdns-39.net.
githubcopilot.com nameserver = ns-1183.awsdns-19.org.
githubcopilot.com nameserver = ns-1727.awsdns-23.co.uk.
Authoritative answers can be found from:
ns-1183.awsdns-19.org internet address = 205.251.196.159
ns-1727.awsdns-23.co.uk internet address = 205.251.198.191
ns-271.awsdns-33.com internet address = 205.251.193.15
ns-828.awsdns-39.net internet address = 205.251.195.60
Anyway, you can use the tools I previously mentioned to see the "propagation" issues, there are some locations that sometimes does not resolve anything:
https://dnsmap.io/#NS/githubcopilot.com https://dnschecker.org/#NS/githubcopilot.com https://www.whatsmydns.net/#NS/githubcopilot.com https://www.gdnspc.com/#NS&githubcopilot.com https://www.nslookup.io/domains/githubcopilot.com/dns-propagation/ns/
Also, please do the following and you will see the different behavior with TTL from each DNS provider (using tmux or a different terminal for each command):
while true; do dig +noall +answer "api.individual.githubcopilot.com" @1.1.1.1; sleep 1; done
while true; do dig +noall +answer "api.individual.githubcopilot.com" @8.8.8.8; sleep 1; done
while true; do dig +noall +answer "api.individual.githubcopilot.com" @9.9.9.9; sleep 1; done
Hey all. I'm from the edge team at GitHub. Taking a look into what's going on here.
Trying 140.82.121.3:443... Trying 4.237.22.38:443...
The problem appears to be that DNS is resolving to regional IPs that terminate public
github.comtraffic, instead of the IPs for the load balancer thatgithubcopilot.comis behind.DNS queries for
api.*.githubcopilot.comshould resolve to one of these IPs, which are the A records related toCNAME glb-db52c2cf8be544.github.com.- 140.82.112.21 - 140.82.112.22 - 140.82.113.21 - 140.82.113.22 - 140.82.114.21 - 140.82.114.22Why would a different networking implementation change the fact of api.individual.githubcopilot.com (/api.enterprise...) pointing to a server that has the wrong TLS certificate?
The load balancers behind IPs like
140.82.121.3and4.237.22.38aren't configured to handlegithubcopilot.comtraffic since they're not supposed to.The root issue would be why DNS is resolving to the wrong address. It appears some DNS resolvers may be returning a regional (cached?) IP for
github.cominstead of the correct IP forglb-db52c2cf8be544.github.com(whichapi.*.githubcopilot.comshould CNAME to). While I'm not certain why this would occur, it would explain the issues.Troubleshooting I've tested on both Linux and Windows machines across EU, US, and Australia regions, and I'm unable to reproduce the issue. However, it's clear that some DNS clients are receiving incorrect values when querying
api.*.githubcopilot.com.The troubleshooting done here already is very thorough, so thank you for that! As a next step, could someone experiencing this issue capture:
- Which nameservers are being used when the incorrect value is returned
- Which DNS resolver those queries went through
This would help us identify where something may be misconfigured.
My pihole dns logs, this was logged during the error. My pihole is forced to only use cloudflare 1.1.1.1 & all my dns are routed through this
Sorry, there was a network error. Please try again later. Request id: b7643406-1145-45ba-863a-7d3c0b6737c3
Reason: Please check your firewall rules and network connection then try again. Error Code: net::ERR_CERT_COMMON_NAME_INVALID.
hope it helps. The above nslookup request is routed to pihole
* Host api.individual.githubcopilot.com:443 was resolved.
* IPv6: (none)
* IPv4: 140.82.113.4
* Trying 140.82.113.4:443...
* Connected to api.individual.githubcopilot.com (140.82.113.4) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=github.com
* start date: Feb 5 00:00:00 2025 GMT
* expire date: Feb 5 23:59:59 2026 GMT
* subjectAltName does not match host name api.individual.githubcopilot.com
* SSL: no alternative certificate subject name matches target host name 'api.individual.githubcopilot.com'
* Closing connection
curl: (60) SSL: no alternative certificate subject name matches target host name 'api.individual.githubcopilot.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Just got this again. Haven't gotten it in quite a while, and it resolved almost immediately.
## GitHub Copilot Chat
- Extension: 0.33.2 (prod)
- VS Code: 1.106.1 (cb1933bbc38d329b3595673a600fab5c7368f0a7)
- OS: win32 10.0.26100 x64
- GitHub Account: ascott18
## Network
User Settings:
` ``json
"github.copilot.advanced.debug.useElectronFetcher": true,
"github.copilot.advanced.debug.useNodeFetcher": false,
"github.copilot.advanced.debug.useNodeFetchFetcher": true
` ``
Connecting to https://api.github.com:
- DNS ipv4 Lookup: 140.82.116.5 (49 ms)
- DNS ipv6 Lookup: Error (25 ms): getaddrinfo ENOTFOUND api.github.com
- Proxy URL: None (7 ms)
- Electron fetch (configured): HTTP 200 (173 ms)
- Node.js https: HTTP 200 (80 ms)
- Node.js fetch: HTTP 200 (169 ms)
Connecting to https://api.enterprise.githubcopilot.com/_ping:
- DNS ipv4 Lookup: 140.82.116.4 (0 ms)
- DNS ipv6 Lookup: Error (1 ms): getaddrinfo ENOTFOUND api.enterprise.githubcopilot.com
- Proxy URL: None (8 ms)
- Electron fetch (configured): Error (59 ms): Error: net::ERR_CERT_COMMON_NAME_INVALID
at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10610)
at SimpleURLLoaderWrapper.emit (node:events:519:28)
at SimpleURLLoaderWrapper.callbackTrampoline (node:internal/async_hooks:130:17)
- Node.js https: Error (54 ms): Error: Hostname/IP does not match certificate's altnames: Host: api.enterprise.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at ssl.onhandshakedone (node:_tls_wrap:864:12)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)
- Node.js fetch: Error (60 ms): TypeError: fetch failed
at node:internal/deps/undici/undici:13510:13
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async b3._fetch (c:\Users\Andrew\.vscode\extensions\github.copilot-chat-0.33.2\dist\extension.js:4418:24712)
at async c:\Users\Andrew\.vscode\extensions\github.copilot-chat-0.33.2\dist\extension.js:4450:190
at async Gy.h (file:///c:/Users/Andrew/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:114:41645)
Error: Hostname/IP does not match certificate's altnames: Host: api.enterprise.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at ssl.onhandshakedone (node:_tls_wrap:864:12)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)
Connecting to https://proxy.enterprise.githubcopilot.com/_ping:
- DNS ipv4 Lookup: 138.91.182.224 (43 ms)
- DNS ipv6 Lookup: Error (55 ms): getaddrinfo ENOTFOUND proxy.enterprise.githubcopilot.com
- Proxy URL: None (9 ms)
- Electron fetch (configured): HTTP 200 (163 ms)
- Node.js https: HTTP 200 (150 ms)
- Node.js fetch: HTTP 200 (152 ms)
Connecting to https://github.com: HTTP 200 (86 ms)
Connecting to https://telemetry.enterprise.githubcopilot.com/_ping: HTTP 200 (277 ms)
Number of system certificates: 50
## Documentation
In corporate networks: [Troubleshooting firewall settings for GitHub Copilot](https://docs.github.com/en/copilot/troubleshooting-github-copilot/troubleshooting-firewall-settings-for-github-copilot).
I'm encountering this again...
2025-11-26 09:35:57.903 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (28663da9-1581-44f2-b9e6-2a6f33f57759)
2025-11-26 09:36:43.044 [info] [GitExtensionServiceImpl] Initializing Git extension service.
2025-11-26 09:36:43.189 [info] [GitExtensionServiceImpl] Successfully activated the vscode.git extension.
2025-11-26 09:36:43.189 [info] [GitExtensionServiceImpl] Enablement state of the vscode.git extension: true.
2025-11-26 09:36:43.189 [info] [GitExtensionServiceImpl] Successfully registered Git commit message provider.
2025-11-26 09:36:43.430 [info] Logged in as rbleattler
2025-11-26 09:36:43.437 [info] Using the Node fetcher.
2025-11-26 09:36:45.372 [info] Got Copilot token for rbleattler
2025-11-26 09:36:45.372 [info] Copilot Chat: 0.33.3, VS Code: 1.106.3
2025-11-26 09:36:45.385 [info] activationBlocker from 'languageModelAccess' took for 4323ms
2025-11-26 09:36:45.834 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (413a9db5-c56a-4c19-b7fc-19cf80f3354b)
2025-11-26 09:36:45.912 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota
2025-11-26 09:36:45.915 [info] Registering default platform agent...
2025-11-26 09:36:45.918 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota
2025-11-26 09:36:45.918 [info] activationBlocker from 'conversationFeature' took for 4865ms
2025-11-26 09:36:45.935 [info] Successfully activated the GitHub.vscode-pull-request-github extension.
2025-11-26 09:36:45.935 [info] [githubTitleAndDescriptionProvider] Initializing GitHub PR title and description provider provider.
2025-11-26 09:36:45.935 [info] Successfully registered GitHub PR title and description provider.
2025-11-26 09:36:45.935 [info] Successfully registered GitHub PR reviewer comments provider.
2025-11-26 09:36:46.041 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to load remote copilot agents
2025-11-26 09:36:46.089 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (eb05e9f2-ab75-4612-a1b0-32f659a554b1)
2025-11-26 09:36:46.185 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (d8a36c83-2d78-4a38-b553-2b0f9bb64136)
2025-11-26 09:36:46.332 [info] BYOK: Copilot Chat known models list fetched successfully.
2025-11-26 09:37:53.920 [error] Error: Unable to verify Ollama server version. Please ensure you have Ollama version 0.6.4 or higher installed. If you're running an older version, please upgrade from https://ollama.ai
at Wk._checkOllamaVersion (c:\Users\rbleattler\.vscode\extensions\github.copilot-chat-0.33.3\dist\extension.js:1125:13037)
at processTicksAndRejections (node:internal/process/task_queues:105:5)
at Wk.getAllModels (c:\Users\rbleattler\.vscode\extensions\github.copilot-chat-0.33.3\dist\extension.js:1125:10977)
at Wk.provideLanguageModelChatInformation (c:\Users\rbleattler\.vscode\extensions\github.copilot-chat-0.33.3\dist\extension.js:1125:8846)
at uA.$provideLanguageModelChatInfo (file:///c:/Users/rbleattler/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:116:30605): Error fetching available Ollama models
2025-11-26 09:37:53.992 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (2b15e75f-6672-4a99-bb6a-41332d9ddc56)
2025-11-26 09:38:06.608 [info] [GitExtensionServiceImpl] Initializing Git extension service.
2025-11-26 09:38:06.749 [info] [GitExtensionServiceImpl] Successfully activated the vscode.git extension.
2025-11-26 09:38:06.749 [info] [GitExtensionServiceImpl] Enablement state of the vscode.git extension: true.
2025-11-26 09:38:06.749 [info] [GitExtensionServiceImpl] Successfully registered Git commit message provider.
2025-11-26 09:38:06.970 [info] Logged in as rbleattler
2025-11-26 09:38:06.977 [info] Using the Node fetcher.
2025-11-26 09:38:08.728 [info] Got Copilot token for rbleattler
2025-11-26 09:38:08.728 [info] Copilot Chat: 0.33.3, VS Code: 1.106.3
2025-11-26 09:38:08.740 [info] activationBlocker from 'languageModelAccess' took for 4094ms
2025-11-26 09:38:09.190 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (e73fc803-4ed4-4b76-a294-5910a0eab86a)
2025-11-26 09:38:09.264 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota
2025-11-26 09:38:09.270 [info] Registering default platform agent...
2025-11-26 09:38:09.273 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota
2025-11-26 09:38:09.273 [info] activationBlocker from 'conversationFeature' took for 4636ms
2025-11-26 09:38:09.421 [info] Successfully activated the GitHub.vscode-pull-request-github extension.
2025-11-26 09:38:09.421 [info] [githubTitleAndDescriptionProvider] Initializing GitHub PR title and description provider provider.
2025-11-26 09:38:09.421 [info] Successfully registered GitHub PR title and description provider.
2025-11-26 09:38:09.421 [info] Successfully registered GitHub PR reviewer comments provider.
2025-11-26 09:38:09.427 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to load remote copilot agents
2025-11-26 09:38:09.453 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (5d5d9e26-71c5-4aa2-90cf-d4ddb5f111e7)
2025-11-26 09:38:09.538 [info] BYOK: Copilot Chat known models list fetched successfully.
2025-11-26 09:38:09.553 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com
at Object.checkServerIdentity (node:tls:418:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (60f1fa25-fd76-4a90-84a9-760bc433ad5e)
I am not on a corporate network... When visiting the url "https://api.individual.githubcopilot.com/" in my browser, the attached cert is what I get back... github.com.pem.txt
Checking the ip address is:
Resolve-DnsName -Name api.individual.githubcopilot.com
Name Type TTL Section NameHost
---- ---- --- ------- --------
api.individual.githubcopilot.c CNAME 1234 Answer github.com
om
Name : github.com
QueryType : A
TTL : 49
Section : Answer
IP4Address : 140.82.114.3
Name : github.com
QueryType : SOA
TTL : 2930
Section : Authority
NameAdministrator : hostmaster.nsone.net
SerialNumber : 1656468023
TimeToZoneRefresh : 43200
TimeToZoneFailureRetry : 7200
TimeToExpiration : 1209600
DefaultTTL : 3600
When pulling directly from 1.1.1.1:
Resolve-DnsName -Name api.individual.githubcopilot.com -Server 1.1.1.1
Name Type TTL Section NameHost
---- ---- --- ------- --------
api.individual.githubcopilot.c CNAME 2436 Answer api.githubcopilot.com
om
api.githubcopilot.com CNAME 2436 Answer glb-db52c2cf8be544.github.com
Name : glb-db52c2cf8be544.github.com
QueryType : A
TTL : 60
Section : Answer
IP4Address : 140.82.112.22
Name : github.com
QueryType : SOA
TTL : 703
Section : Authority
NameAdministrator : awsdns-hostmaster.amazon.com
SerialNumber : 1
TimeToZoneRefresh : 7200
TimeToZoneFailureRetry : 900
TimeToExpiration : 1209600
DefaultTTL : 86400
I tried switching fetchers, but so far all it does is change the error message a bit:
2025-11-26 09:56:19.626 [error] Error: net::ERR_CERT_COMMON_NAME_INVALID
at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10610)
at SimpleURLLoaderWrapper.emit (node:events:519:28): Failed to fetch models (e9a006ea-0648-49a8-ae97-f196f1d2f468)
I'm encountering this again...
2025-11-26 09:35:57.903 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (28663da9-1581-44f2-b9e6-2a6f33f57759) 2025-11-26 09:36:43.044 [info] [GitExtensionServiceImpl] Initializing Git extension service. 2025-11-26 09:36:43.189 [info] [GitExtensionServiceImpl] Successfully activated the vscode.git extension. 2025-11-26 09:36:43.189 [info] [GitExtensionServiceImpl] Enablement state of the vscode.git extension: true. 2025-11-26 09:36:43.189 [info] [GitExtensionServiceImpl] Successfully registered Git commit message provider. 2025-11-26 09:36:43.430 [info] Logged in as rbleattler 2025-11-26 09:36:43.437 [info] Using the Node fetcher. 2025-11-26 09:36:45.372 [info] Got Copilot token for rbleattler 2025-11-26 09:36:45.372 [info] Copilot Chat: 0.33.3, VS Code: 1.106.3 2025-11-26 09:36:45.385 [info] activationBlocker from 'languageModelAccess' took for 4323ms 2025-11-26 09:36:45.834 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (413a9db5-c56a-4c19-b7fc-19cf80f3354b) 2025-11-26 09:36:45.912 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota 2025-11-26 09:36:45.915 [info] Registering default platform agent... 2025-11-26 09:36:45.918 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota 2025-11-26 09:36:45.918 [info] activationBlocker from 'conversationFeature' took for 4865ms 2025-11-26 09:36:45.935 [info] Successfully activated the GitHub.vscode-pull-request-github extension. 2025-11-26 09:36:45.935 [info] [githubTitleAndDescriptionProvider] Initializing GitHub PR title and description provider provider. 2025-11-26 09:36:45.935 [info] Successfully registered GitHub PR title and description provider. 2025-11-26 09:36:45.935 [info] Successfully registered GitHub PR reviewer comments provider. 2025-11-26 09:36:46.041 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to load remote copilot agents 2025-11-26 09:36:46.089 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (eb05e9f2-ab75-4612-a1b0-32f659a554b1) 2025-11-26 09:36:46.185 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (d8a36c83-2d78-4a38-b553-2b0f9bb64136) 2025-11-26 09:36:46.332 [info] BYOK: Copilot Chat known models list fetched successfully. 2025-11-26 09:37:53.920 [error] Error: Unable to verify Ollama server version. Please ensure you have Ollama version 0.6.4 or higher installed. If you're running an older version, please upgrade from https://ollama.ai at Wk._checkOllamaVersion (c:\Users\rbleattler\.vscode\extensions\github.copilot-chat-0.33.3\dist\extension.js:1125:13037) at processTicksAndRejections (node:internal/process/task_queues:105:5) at Wk.getAllModels (c:\Users\rbleattler\.vscode\extensions\github.copilot-chat-0.33.3\dist\extension.js:1125:10977) at Wk.provideLanguageModelChatInformation (c:\Users\rbleattler\.vscode\extensions\github.copilot-chat-0.33.3\dist\extension.js:1125:8846) at uA.$provideLanguageModelChatInfo (file:///c:/Users/rbleattler/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/workbench/api/node/extensionHostProcess.js:116:30605): Error fetching available Ollama models 2025-11-26 09:37:53.992 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (2b15e75f-6672-4a99-bb6a-41332d9ddc56) 2025-11-26 09:38:06.608 [info] [GitExtensionServiceImpl] Initializing Git extension service. 2025-11-26 09:38:06.749 [info] [GitExtensionServiceImpl] Successfully activated the vscode.git extension. 2025-11-26 09:38:06.749 [info] [GitExtensionServiceImpl] Enablement state of the vscode.git extension: true. 2025-11-26 09:38:06.749 [info] [GitExtensionServiceImpl] Successfully registered Git commit message provider. 2025-11-26 09:38:06.970 [info] Logged in as rbleattler 2025-11-26 09:38:06.977 [info] Using the Node fetcher. 2025-11-26 09:38:08.728 [info] Got Copilot token for rbleattler 2025-11-26 09:38:08.728 [info] Copilot Chat: 0.33.3, VS Code: 1.106.3 2025-11-26 09:38:08.740 [info] activationBlocker from 'languageModelAccess' took for 4094ms 2025-11-26 09:38:09.190 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (e73fc803-4ed4-4b76-a294-5910a0eab86a) 2025-11-26 09:38:09.264 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota 2025-11-26 09:38:09.270 [info] Registering default platform agent... 2025-11-26 09:38:09.273 [info] copilot token chat_enabled: true, sku: plus_monthly_subscriber_quota 2025-11-26 09:38:09.273 [info] activationBlocker from 'conversationFeature' took for 4636ms 2025-11-26 09:38:09.421 [info] Successfully activated the GitHub.vscode-pull-request-github extension. 2025-11-26 09:38:09.421 [info] [githubTitleAndDescriptionProvider] Initializing GitHub PR title and description provider provider. 2025-11-26 09:38:09.421 [info] Successfully registered GitHub PR title and description provider. 2025-11-26 09:38:09.421 [info] Successfully registered GitHub PR reviewer comments provider. 2025-11-26 09:38:09.427 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to load remote copilot agents 2025-11-26 09:38:09.453 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (5d5d9e26-71c5-4aa2-90cf-d4ddb5f111e7) 2025-11-26 09:38:09.538 [info] BYOK: Copilot Chat known models list fetched successfully. 2025-11-26 09:38:09.553 [error] Error: Hostname/IP does not match certificate's altnames: Host: api.individual.githubcopilot.com. is not in the cert's altnames: DNS:github.com, DNS:www.github.com at Object.checkServerIdentity (node:tls:418:12) at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27) at TLSSocket.emit (node:events:519:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:864:12): Failed to fetch models (60f1fa25-fd76-4a90-84a9-760bc433ad5e)I am not on a corporate network... When visiting the url "https://api.individual.githubcopilot.com/" in my browser, the attached cert is what I get back... github.com.pem.txt
Checking the ip address is:
Resolve-DnsName -Name api.individual.githubcopilot.com
Name Type TTL Section NameHost
api.individual.githubcopilot.c CNAME 1234 Answer github.com om
Name : github.com QueryType : A TTL : 49 Section : Answer IP4Address : 140.82.114.3
Name : github.com QueryType : SOA TTL : 2930 Section : Authority NameAdministrator : hostmaster.nsone.net SerialNumber : 1656468023 TimeToZoneRefresh : 43200 TimeToZoneFailureRetry : 7200 TimeToExpiration : 1209600 DefaultTTL : 3600 When pulling directly from
1.1.1.1:Resolve-DnsName -Name api.individual.githubcopilot.com -Server 1.1.1.1
Name Type TTL Section NameHost
api.individual.githubcopilot.c CNAME 2436 Answer api.githubcopilot.com om api.githubcopilot.com CNAME 2436 Answer glb-db52c2cf8be544.github.com
Name : glb-db52c2cf8be544.github.com QueryType : A TTL : 60 Section : Answer IP4Address : 140.82.112.22
Name : github.com QueryType : SOA TTL : 703 Section : Authority NameAdministrator : awsdns-hostmaster.amazon.com SerialNumber : 1 TimeToZoneRefresh : 7200 TimeToZoneFailureRetry : 900 TimeToExpiration : 1209600 DefaultTTL : 86400
This definitely seems to be an issue with infrastructure. It looks to me like somewhere a load balancer, firewall, or some other network appliance is pushing the wrong certificate.