copilot chat in vscode: "certificate has expired"

[lhoekenga]

My organization gave me a Copilot seat today. When I try to use Copilot chat in VSCode, it tells me certificate has expired. Copilot code completion seems to be working, though.

I've read suggestions that maybe my system time is off, but NTP time synchronization is forced on by my organization. It's using time.apple.com as the NTP server.

I can use Copilot chat from Github Codespaces. I can use it from PyCharm (JetBrains IDE), so I know I have a license. I can access api.githubcopilot.com from desktop browsers and curl / wget in my terminal. I don't seem to be having DNS resolution issues.

I think I've included the relevant logs.

• Copilot Chat Extension Version: 0.17.1
• VS Code Version: 1.91.1 (Universal)
• OS Version: MacOS 14.6
• Logs:

  • Copilot collect diagnostics

## Copilot

- Version: 1.219.0
- Build: prod
- Editor: vscode/1.91.1

## Environment

- http_proxy: n/a
- https_proxy: n/a
- no_proxy: n/a
- SSL_CERT_FILE: n/a
- SSL_CERT_DIR: n/a
- OPENSSL_CONF: n/a

## Feature Flags

- Send Restricted Telemetry: disabled
- Chat: enabled

## Node setup

- Number of root certificates: 141
- Operating system: Darwin
- Operating system version: 23.6.0
- Operating system architecture: arm64
- NODE_OPTIONS: n/a
- NODE_EXTRA_CA_CERTS: n/a
- NODE_TLS_REJECT_UNAUTHORIZED: n/a
- tls default min version: TLSv1.2
- tls default max version: TLSv1.3

## Network Configuration

- Proxy host: n/a
- Proxy port: n/a
- Kerberos SPN: n/a
- Reject unauthorized: disabled
- Fetcher: HelixFetcher

## Reachability

- github.com: HTTP 200
- api.github.com: HTTP 200
- proxy.business.githubcopilot.com: HTTP 200
- api.business.githubcopilot.com: HTTP 200
- default.exp-tas.com: HTTP 200

## VS Code Configuration

- HTTP proxy: 
- HTTP proxy authentication: n/a
- Proxy Strict SSL: true
- Extension HTTP proxy support: override

## Extensions

- Is `win-ca` installed?: false
- Is `mac-ca` installed?: false

## Authentication

- GitHub username: lhoekenga

• Copilot chat diagnostics

## GitHub Copilot Chat

- Extension Version: 0.17.1 (prod)
- VS Code: vscode/1.91.1
- OS: Mac

## Network

User Settings:
```json
  "github.copilot.advanced": {
    "debug.useElectronFetcher": false,
    "debug.useNodeFetcher": false
  }

DNS Lookup api.githubcopilot.com: 140.82.113.21

Fetching https://api.githubcopilot.com/_ping:
- Electron Fetcher: HTTP 200
- Node Fetcher: HTTP 200
- Helix Fetcher (configured): HTTP 200

• Network Proxy Test: Test Network Connection

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.91.1 (f1e16e1e6214d7c44d078b1f0607b2388f29d729)
Network Proxy Test 0.0.12
darwin 23.6.0 arm64

Settings:
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: true
- http.proxySupport: override
- http.systemCertificates: true

Environment variables:

Sending GET request to https://api.githubcopilot.com/_ping...
vscode-proxy-agent: DIRECT
Received response:
- Status: 200 OK
Certificate chain:
- Subject: *.githubcopilot.com (GitHub, Inc.)
  Subject alt: DNS:*.githubcopilot.com, DNS:githubcopilot.com
  Validity: Aug 16 00:00:00 2023 GMT - Aug 16 23:59:59 2024 GMT
  Fingerprint: 54:59:1F:F1:6B:26:2F:B0:BC:68:70:BE:9F:E9:06:B3:37:7A:8A:9D
- Subject: DigiCert Global G2 TLS RSA SHA256 2020 CA1 (DigiCert Inc)
  Validity: Mar 30 00:00:00 2021 GMT - Mar 29 23:59:59 2031 GMT
  Fingerprint: 1B:51:1A:BE:AD:59:C6:CE:20:70:77:C0:BF:0E:00:43:B1:38:26:12
- Subject: DigiCert Global Root G2 (DigiCert Inc)
  Validity: Aug  1 12:00:00 2013 GMT - Jan 15 12:00:00 2038 GMT
  Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
  Self-signed
Local root certificates:
- Subject: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root G2 (built-in)
  Validity: Aug  1 12:00:00 2013 GMT - Jan 15 12:00:00 2038 GMT
  Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
  Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=DigiCert Global Root G2

Sending GET request to https://api.githubcopilot.com/_ping using fetch API...
Received response:
- Status: 200 

Steps to Reproduce:

1. open chat window, "/explain something"
2. "Certficate has expired"

[lhoekenga]

I tried it again today, and it's working. Weird.

[RozenKristal]

I tried it again today, and it's working. Weird.

and I am having this issue again. Once in a while copilot broke and I have no idea why.... This is really annoying for a paid product.

[streude]

I'm having the same problem.

[lhoekenga]

Reopening because other people are running into it.. And apparently, so am I.

Encountered an error while deciding what workspace information to collect: (failed) Please check your firewall rules and network connection then try again. Error Code: CERT_HAS_EXPIRED.

[lhoekenga]

Copilot collect diagnostics

## Copilot

- Version: 1.220.0
- Build: prod
- Editor: vscode/1.92.0

## Environment

- http_proxy: n/a
- https_proxy: n/a
- no_proxy: n/a
- SSL_CERT_FILE: n/a
- SSL_CERT_DIR: n/a
- OPENSSL_CONF: n/a

## Feature Flags

- Send Restricted Telemetry: disabled
- Chat: enabled

## Node setup

- Number of root certificates: 147
- Operating system: Darwin
- Operating system version: 23.6.0
- Operating system architecture: arm64
- NODE_OPTIONS: n/a
- NODE_EXTRA_CA_CERTS: n/a
- NODE_TLS_REJECT_UNAUTHORIZED: n/a
- tls default min version: TLSv1.2
- tls default max version: TLSv1.3

## Network Configuration

- Proxy host: n/a
- Proxy port: n/a
- Kerberos SPN: n/a
- Reject unauthorized: disabled
- Fetcher: HelixFetcher

## Reachability

- github.com: HTTP 200
- api.github.com: HTTP 200
- copilot-proxy.githubusercontent.com: HTTP 200
- api.githubcopilot.com: HTTP 200
- default.exp-tas.com: HTTP 200

## VS Code Configuration

- HTTP proxy: 
- HTTP proxy authentication: n/a
- Proxy Strict SSL: true
- Extension HTTP proxy support: override

## Extensions

- Is `win-ca` installed?: false
- Is `mac-ca` installed?: false

## Authentication

- GitHub username: lhoekenga

Copliot Chat Diagnostics

## GitHub Copilot Chat

- Extension Version: 0.18.1 (prod)
- VS Code: vscode/1.92.0
- OS: Mac

## Network

User Settings:
json
  "github.copilot.advanced": {
    "debug.useElectronFetcher": false,
    "debug.useNodeFetcher": false
  }

Connecting to https://api.github.com:
- DNS Lookup: 140.82.114.6
- Electron Fetcher: HTTP 200
- Node Fetcher: HTTP 200
- Helix Fetcher (configured): HTTP 200

Connecting to https://api.githubcopilot.com/_ping:
- DNS Lookup: 140.82.114.22
- Electron Fetcher: HTTP 200
- Node Fetcher: HTTP 200
- Helix Fetcher (configured): Error: certificate has expired

## Documentation

In corporate networks: [Troubleshooting firewall settings for GitHub Copilot](https://docs.github.com/en/copilot/troubleshooting-github-copilot/troubleshooting-firewall-settings-for-github-copilot).

Network Proxy Test: Test Network Connection

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.92.0 (b1c0a14de1414fcdaa400695b4db1c0799bc3124)
Network Proxy Test 0.0.12
darwin 23.6.0 arm64

Settings:
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: true
- http.proxySupport: override
- http.systemCertificates: true

Environment variables:

Sending GET request to https://api.githubcopilot.com/_ping...
vscode-proxy-agent: DIRECT
Received response:
- Status: 200 OK
Certificate chain:
- Subject: *.githubcopilot.com
  Subject alt: DNS:*.githubcopilot.com, DNS:githubcopilot.com
  Validity: Aug  1 00:00:00 2024 GMT - Aug  1 23:59:59 2025 GMT
  Fingerprint: 8D:C4:7D:28:E8:BF:72:45:F8:F8:C1:40:90:93:7F:09:EC:6B:3D:6F
- Subject: Sectigo RSA Domain Validation Secure Server CA (Sectigo Limited)
  Validity: Nov  2 00:00:00 2018 GMT - Dec 31 23:59:59 2030 GMT
  Fingerprint: 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB
- Subject: USERTrust RSA Certification Authority (The USERTRUST Network)
  Validity: Mar 12 00:00:00 2019 GMT - Dec 31 23:59:59 2028 GMT
  Fingerprint: D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C
- Subject: AAA Certificate Services (Comodo CA Limited)
  Validity: Jan  1 00:00:00 2004 GMT - Dec 31 23:59:59 2028 GMT
  Fingerprint: D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
  Self-signed
Local root certificates:
- Subject: C=GB ST=Greater Manchester L=Salford O=Comodo CA Limited CN=AAA Certificate Services (built-in and OS)
  Validity: Jan  1 00:00:00 2004 GMT - Dec 31 23:59:59 2028 GMT
  Fingerprint: D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
  Issuer: C=GB ST=Greater Manchester L=Salford O=Comodo CA Limited CN=AAA Certificate Services

Sending GET request to https://api.githubcopilot.com/_ping using fetch API...
Received response:
- Status: 200 

[hf-krechan]

Yes I am encountering the same error.

Here my diagnostics

GitHub Copilot Diagnostics

## Copilot

- Version: 1.221.0
- Build: prod
- Editor: vscode/1.92.0

## Environment

- http_proxy: n/a
- https_proxy: n/a
- no_proxy: n/a
- SSL_CERT_FILE: n/a
- SSL_CERT_DIR: n/a
- OPENSSL_CONF: n/a

## Feature Flags

- Send Restricted Telemetry: disabled
- Chat: enabled

## Node setup

- Number of root certificates: 147
- Operating system: Darwin
- Operating system version: 23.5.0
- Operating system architecture: arm64
- NODE_OPTIONS: n/a
- NODE_EXTRA_CA_CERTS: n/a
- NODE_TLS_REJECT_UNAUTHORIZED: n/a
- tls default min version: TLSv1.2
- tls default max version: TLSv1.3

## Network Configuration

- Proxy host: n/a
- Proxy port: n/a
- Kerberos SPN: n/a
- Reject unauthorized: disabled
- Fetcher: HelixFetcher

## Reachability

- github.com: HTTP 200
- api.github.com: HTTP 200
- copilot-proxy.githubusercontent.com: HTTP 200
- api.githubcopilot.com: certificate has expired
- default.exp-tas.com: HTTP 200

## VS Code Configuration

- HTTP proxy: 
- HTTP proxy authentication: n/a
- Proxy Strict SSL: true
- Extension HTTP proxy support: override

## Extensions

- Is `win-ca` installed?: false
- Is `mac-ca` installed?: false

## Authentication

- GitHub username: hf-krechan

[dinhngockhanh]

Also having this issue.

[lhoekenga]

Completely wiping VSCode from my computer and deleting it's preferences, and then reinstalling everything seems to have fixed it. Not exactly convenient.

[shirschfield]

Also having this issue

[RozenKristal]

So i looked a bit more into this and it seems the SSL cert used by api.github.com and api.githubcopilot.com has expired.

Both Node Fetcher and Helix Fetcher showing certificate has expired.

[KaliaHayes]

Installing Copilot v17.2 worked for me. v19 is acting up.

I'm running VSC Insiders Version: 1.93.0-insider (Universal) btw!

[johnisanerd]

I am having this issue this morning. Went down a hole trying to make sure my sntp is working; my time is synched.

[streude]

Someone else posted this earlier, but I can't find it now. It worked for me:

Open up Keychain Access
View > Show Expired Certificates
Sort the login keychain by expire date
Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
Delete those certificates

[sarmortez]

This worked for me! Thank you

[RozenKristal]

Someone else posted this earlier, but I can't find it now. It worked for me:

Open up Keychain Access
View > Show Expired Certificates
Sort the login keychain by expire date
Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
Delete those certificates

is there an equivalent for vscode?

[streude]

Someone else posted this earlier, but I can't find it now. It worked for me:

Open up Keychain Access
View > Show Expired Certificates
Sort the login keychain by expire date
Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
Delete those certificates

is there an equivalent for vscode?

I used this to fix VSCode.

[RozenKristal]

Someone else posted this earlier, but I can't find it now. It worked for me:

Open up Keychain Access
View > Show Expired Certificates
Sort the login keychain by expire date
Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
Delete those certificates

is there an equivalent for vscode?

I used this to fix VSCode.

On windows I mean. Sorry for the confusion.

[streude]

Someone else posted this earlier, but I can't find it now. It worked for me:

Open up Keychain Access
View > Show Expired Certificates
Sort the login keychain by expire date
Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
Delete those certificates

is there an equivalent for vscode?

I used this to fix VSCode.

On windows I mean. Sorry for the confusion.

no problem! I'm sorry, I haven't seen a solution for Windows.

[RozenKristal]

Thanks, this prob wont work for me cause i dont have total control of my laptop. My org does -_-

[IMMontoya]

Someone else posted this earlier, but I can't find it now. It worked for me:

Open up Keychain Access
View > Show Expired Certificates
Sort the login keychain by expire date
Look for a set of 3 certificates (AddTrust and USERTRUST and one other) that had expired May 30, 2020 (the expired ones you need to remove may be something else)
Delete those certificates

This worked for me. Thank you! For anyone wondering this relevant to Mac OS. Make sure you are looking in the login keychain tab.

[himmetozcan]

In windows: Press Win + R to open the Run dialog. Type certmgr.msc and press Enter. This opens the Certificate Manager. Right-Click on Certificates-Current User and click "Find Certificates" search for "addtrust" In my case, there were 4 certificates with expiration dates 30.05.2020 Delete all 4 and restart vscode.

[abehbood]

Is there any solution for Linux OS for the same problem?

[quinton-ashley]

Didn't work for me on macOS. Still having this issue:

2024-08-09 12:23:18.071 [error] ZV: certificate has expired
    at Yde (/Users/qashto/.vscode-insiders/extensions/github.copilot-chat-0.19.2024080801/dist/extension.js:21:29516)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at NUe (/Users/qashto/.vscode-insiders/extensions/github.copilot-chat-0.19.2024080801/dist/extension.js:21:31538)
    at CI.fetch (/Users/qashto/.vscode-insiders/extensions/github.copilot-chat-0.19.2024080801/dist/extension.js:751:2373)
    at Jm._fetchModels (/Users/qashto/.vscode-insiders/extensions/github.copilot-chat-0.19.2024080801/dist/extension.js:1449:16231)

[aj501]

same issue for me. I worked couple days before. Mac M1. I've tried to delete couple of the expired certs but didn't work either. I'm only having problem with VS Code. It works on intelliJ though

[RozenKristal]

In windows: Press Win + R to open the Run dialog. Type certmgr.msc and press Enter. This opens the Certificate Manager. Right-Click on Certificates-Current User and click "Find Certificates" search for "addtrust" In my case, there were 4 certificates with expiration dates 30.05.2020 Delete all 4 and restart vscode.

shoot. I got access denied :( What a pain.

[alexdima]

Could you please try the following setting and reload VS Code:

"github.copilot.advanced": {
    "debug.useElectronFetcher": true
}

[alexdima]

I have reviewed our code and for the HelixFetcher we are not filtering out expired certificates when reading them from the OS.

[alexdima]

This is now fixed and is part of the 0.18.2 GitHub Copilot Chat release.

[AMABK]

I am still getting this error. Extremely annoying for a paid product 024-08-20 21:03:12.571 [info] [certificates] Removed 3 expired certificates 2024-08-20 21:03:14.205 [error] [auth] auth: FetchError: .... ts:58:9) { type: 'system', _name: 'FetchError', code: 'ETIMEDOUT', errno: undefined, erroredSysCall: undefined

[chrmarti]

@AMABK This looks different, please open a new issue with the output from F1 > Developer: GitHub Copilot Chat Diagnostics in VS Code.