GitHub Enterprise Personal Access Token fails `reason: unable to verify the first certificate`

[blaylockbk]

• Extension version: v0.46.0
• VSCode Version: 1.69.1
• OS: Linux, via remote ssh from windows

I'm trying to sign into my GitHub Enterprise, but I get the error

request to https://my.github.enterprise.uri/api/v3/ failed, reason: unable to verify the first certificate

Is there a way to overcome the certificate error?

Steps to Reproduce:

I set the setting

"github-enterprise.uri": "https://my.github.enterprise.uri/"

Then I open the GitHub Pull Requests Extension and it gives me this message

The extension 'GitHub Pull Requests and Issues' wants to sign in using GitHub Enterprise

I then enter my PAT

The output shows this error

[Info  - 17:35:21.902] Reading sessions from keychain...
[Info  - 17:37:34.720] Getting sessions for read:user,repo,user:email,workflow...
[Info  - 17:37:34.720] Got 0 sessions for read:user,repo,user:email,workflow...
[Info  - 17:37:34.768] Getting sessions for read:user,repo,user:email...
[Info  - 17:37:34.768] Got 0 sessions for read:user,repo,user:email...
[Info  - 17:37:34.799] Getting sessions for read:user,repo,user:email,workflow...
[Info  - 17:37:34.799] Got 0 sessions for read:user,repo,user:email,workflow...
[Info  - 17:38:14.433] Logging in for the following scopes: read:user repo user:email workflow
[Info  - 17:38:36.782] Getting token scopes...
[Error  - 17:38:36.892] request to https://my.github.enterprise.uri/api/v3/ failed, reason: unable to verify the first certificate
[Error  - 17:38:36.892] Error: network error

[blaylockbk]

Just saw that someone else also had this issue...https://github.com/microsoft/vscode-pull-request-github/issues/2913.

[alexr00]

@blaylockbk could you try the latest VS Code Insiders and the latest pre-release version of GitHub Pull Requests and Issues? You don't need to use a PAT there. If that doesn't work for you please post the GitHub Enterprise version that your organization uses and I'll investigate further from there.

[blaylockbk]

I tried the insiders version, but I still get this message unable to verify the first certificate
(I changed the URLs below to keep them hidden)

[Info] GitHubServer> No response from host https://my.github.enterprise.uri/username/reponame: request to https://my.github.enterprise.uri/api/v3/rate_limit failed, reason: unable to verify the first certificate

We are using the latest GitHub enterprise, version 3.6.

Here is the full OUTPUT log of GitHub Pull Requests

[Info] Registering git provider
[Info] Looking for git repository
[Info] Found 1 repositories during activation
[Info] Git repository found, initializing review manager and pr tree view.
[Info] Review> Validate state in progress
[Info] Review> Validating state...
[Info] Cannot updates repositories as git is uninitialized
[Info] PullRequestTree> Removing PR #undefined from tree
[Info] Review> Queuing additional validate state
[Info] Git initialization state changed: state=initialized
[Info] Review> Queuing additional validate state
[Info] Review> Validating state...
[Info] GitHubServer> No response from host https://my.github.enterprise.uri/username/reponame: request to https://my.github.enterprise.uri/api/v3/rate_limit failed, reason: unable to verify the first certificate
[Info] No remotes found. The following remotes are missing: origin, upstream
[Info] No GitHub remotes found
[Info] Review> no matching pull request metadata found for current branch main
[Info] Review> no matching pull request metadata found on GitHub for current branch main
[Info] PullRequestTree> Removing PR #undefined from tree
[Info] Review> Validating state...
[Info] No remotes found. The following remotes are missing: origin, upstream
[Info] No GitHub remotes found
[Info] Review> no matching pull request metadata found for current branch main
[Info] Review> no matching pull request metadata found on GitHub for current branch main
[Info] PullRequestTree> Removing PR #undefined from tree

[chadhutchins182]

@alexr00 I'm the admin for the GHES that @blaylockbk is using, which I also see the same issues he does. I can attempt to pull some server logs if need be but it's probably on the client end. I've seen the same issue on Windows and SSH Linux via remote.

If it is server side I can put in a help ticket with GitHub using our account.

[alexr00]

@blaylockbk thanks for trying again.

@chadhutchins182 this looks like https://stackoverflow.com/questions/31673587/error-unable-to-verify-the-first-certificate-in-nodejs. Is there a chance that your GHES server is not configured to have all the certificates it needs? I'm not super knowledgeable about this, so I don't have any pointers for how you can check this.

[chadhutchins182]

@alexr00 We did run into issues during our initial install of GHES with our Entrust SSL certificate but we worked with support and was able to resolve the issue.

I'll start a help ticket on our Enterprise account and link this issue thread and see what pops up.

[chadhutchins182]

@alexr00 and @blaylockbk

It does appear to be on our server. I'm working with GitHub Support and our IT department to get it working. I'll reply back once those steps again and have @blaylockbk and I try again.

[alexr00]

@chadhutchins182 thanks for looking into this so thoroughly!

[chadhutchins182]

@blaylockbk I made the SSL update that Support suggested, when you get a chance give it a try.

[blaylockbk]

@chadhutchins182 Looks like whatever change you helped!

I tried these steps in both VS Code and VS Code Insiders and logged in.

I went through the typical sign in routine

And clicked "Allow" and "Open" on other other pop ups. But the login failed.

Here is the OUTPUT for Log (GitHub Enterprise Authentication)

2022-10-17 09:30:07.338 [info] Reading sessions from keychain...
2022-10-17 09:30:08.539 [info] Getting sessions for read:user,repo,user:email,workflow...
2022-10-17 09:30:08.540 [info] Got 0 sessions for read:user,repo,user:email,workflow...
2022-10-17 09:30:08.540 [info] Getting sessions for read:user,repo,user:email...
2022-10-17 09:30:08.540 [info] Got 0 sessions for read:user,repo,user:email...
2022-10-17 09:31:03.270 [info] Getting sessions for read:user,repo,user:email,workflow...
2022-10-17 09:31:03.270 [info] Got 0 sessions for read:user,repo,user:email,workflow...
2022-10-17 09:31:03.272 [info] Getting sessions for read:user,repo,user:email...
2022-10-17 09:31:03.272 [info] Got 0 sessions for read:user,repo,user:email...
2022-10-17 09:31:03.273 [info] Getting sessions for read:user,repo,user:email,workflow...
2022-10-17 09:31:03.273 [info] Got 0 sessions for read:user,repo,user:email,workflow...

The first login attempt failed.

2022-10-17 09:32:19.724 [info] Logging in for the following scopes: read:user repo user:email workflow
2022-10-17 09:32:19.737 [info] Trying without local server... (read:user repo user:email workflow)
2022-10-17 09:32:49.578 [info] Exchanging code for token...
2022-10-17 09:33:50.009 [error] GitHubTokenExchangeError: <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta content='text/html; charset=utf-8' http-equiv='content-type'/><style type='text/css'>body {font-family:Arial; margin-left:40px; }img  { border:0 none; }#content { margin-left: auto; margin-right: auto }#message h2 { font-size: 20px; font-weight: normal; color: #000000; margin: 34px 0px 0px 0px }#message p  { font-size: 13px; color: #000000; margin: 7px 0px 0px0px}#errorref { font-size: 11px; color: #737373; margin-top: 41px }</style><title>Service unavailable</title></head><body><div id='content'><div id='message'><h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p></div><div id='errorref'><span>0soNNYwAAAABl+j23pQFLTpnOaWHK7xknU0pDRURHRTAzMTkANGM0ZDljZjEtNzZhMy00NjRhLThhODgtNTVmNzNiMDk4Mzdl</span></div></div></body></html>
	at h.exchangeCodeForToken (c:\Users\blaylock\AppData\Local\Programs\Microsoft VS Code Insiders\resources\app\extensions\github-authentication\dist\extension.js:1:709451)
	at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
	at async c:\Users\blaylock\AppData\Local\Programs\Microsoft VS Code Insiders\resources\app\extensions\github-authentication\dist\extension.js:1:704598

When I canceled that connection, another pop-up showed and I clicked yes. This second login attempt also failed

2022-10-17 09:34:28.935 [info] Trying with local server... (read:user repo user:email workflow)
2022-10-17 09:34:29.748 [info] Exchanging code for token...
2022-10-17 09:35:30.733 [error] GitHubTokenExchangeError: <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta content='text/html; charset=utf-8' http-equiv='content-type'/><style type='text/css'>body {font-family:Arial; margin-left:40px; }img  { border:0 none; }#content { margin-left: auto; margin-right: auto }#message h2 { font-size: 20px; font-weight: normal; color: #000000; margin: 34px 0px 0px 0px }#message p  { font-size: 13px; color: #000000; margin: 7px 0px 0px0px}#errorref { font-size: 11px; color: #737373; margin-top: 41px }</style><title>Service unavailable</title></head><body><div id='content'><div id='message'><h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p></div><div id='errorref'><span>0FoRNYwAAAABQzWHWZpTUSJ+MijCObAknU0pDRURHRTAzMDkANGM0ZDljZjEtNzZhMy00NjRhLThhODgtNTVmNzNiMDk4Mzdl</span></div></div></body></html>
	at h.exchangeCodeForToken (c:\Users\blaylock\AppData\Local\Programs\Microsoft VS Code Insiders\resources\app\extensions\github-authentication\dist\extension.js:1:709451)
	at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
	at async c:\Users\blaylock\AppData\Local\Programs\Microsoft VS Code Insiders\resources\app\extensions\github-authentication\dist\extension.js:1:705850

The pop-up again said "Login failed. Do you want to try to sign in a different way?" And I clicked yes again, and this third login attempt worked!

2022-10-17 09:36:43.840 [info] Trying device code flow... (read:user repo user:email workflow)
2022-10-17 09:37:04.176 [info] Getting user info...
2022-10-17 09:37:04.365 [info] Got account info!
2022-10-17 09:37:04.365 [info] Storing 1 sessions...
2022-10-17 09:37:04.396 [info] Reading sessions from keychain...
2022-10-17 09:37:04.396 [info] Stored 1 sessions!
2022-10-17 09:37:04.396 [info] Login success!
2022-10-17 09:37:04.425 [info] Got stored sessions!
2022-10-17 09:37:04.425 [info] Got 1 verified sessions.

Thanks @alexr00 for keeping this issue active while we get it resolved on our end.