[error] Failed: unable to verify the first certificate when trying to install extensions from UI

[sgrenf95]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Bing
• Local OS: MacOS Sonoma Version 14.7 (23H124)
• Remote OS: Linux 8021b6402892 6.8.8-300.fc40.aarch64 running in a Docker container
• Remote Architecture: aarch64
• code-server --version: 4.93.1

Steps to Reproduce

1. Create a folder .config in your current path mkdir -p ~/Documents/jupyterlab_upgrade/.config
2. Create a folder .local in your current path: mkdir -p ~/Documents/jupyterlab_upgrade/.local
3. Run a container based on the official code-server image (https://hub.docker.com/r/codercom/code-server) by using the command:

docker run -it --name codercom-code-server -p 127.0.0.1:8080:8080 \
  -v "$PWD/.local:/home/coder/.local" \
  -v "$PWD/.config:/home/coder/.config" \
  -v "$PWD:/home/coder/project" \
  -e PUID=1000 \
  -e PGID=1000 \
  codercom/code-server:latest

5. Access the code-server UI from the browser (Bing) at this address http://127.0.0.1:8080
6. Install one extension using the "Extensions" button from the UI

Expected

I would expect to have the extension correctly installed.

Actual

I get an Error: unable to verify the first certificate

Logs

2024-10-07 13:18:22.181 [error] Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12)
2024-10-07 13:18:22.196 [error] unable to verify the first certificate: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12)
2024-10-07 13:18:46.634 [error] Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12)
2024-10-07 13:18:46.647 [error] unable to verify the first certificate: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12)

Screenshot/Video

No response

Does this bug reproduce in native VS Code?

This cannot be tested in native VS Code

Does this bug reproduce in GitHub Codespaces?

I did not test GitHub Codespaces

Are you accessing code-server over a secure context?

• I am using a secure context.

Notes

No response

[code-asher]

Are you using a proxy? This error suggests you have a proxy and will need to configure code-server with the proxy's certificate.

Or, it could be that the system is missing the standard certificates.

From the remote machine, are you able to curl open-vsx.org?

[ParticleG]

Are you using a proxy? This error suggests you have a proxy and will need to configure code-server with the proxy's certificate.

Or, it could be that the system is missing the standard certificates.

From the remote machine, are you able to curl open-vsx.org?

Same Problem here, I'm using code-marketplace instead of standard open-vsx since we are in a closed network environment. I deployed the code marketplace in the docker container and proxied it with Nginx, as well as a self-signed certificate created by custom root CA. When I test extension installation on code-server on a physical Ubuntu server (Which is also the host of docker containers), it fails with "unable to verify the first certificate". I've already put root CA into /usr/local/share/ca-certificates and run update-ca-certificates on both the host machine and docker images, and I've heard that node uses its own trusted CA list. How can I add our root CA to the code-server? I've tried the NODE_EXTRA_CA_CERTS env variable, but it does not work

[code-asher]

Does that error appear in the browser logs or the remote logs? Request to the marketplace can be made both from the browser and the remote where code-server is running, so maybe one is configured properly but not the other.

But, it sounds like the error comes from the remote, in which case I would expect NODE_EXTRA_CA_CERTS to do the trick. Is it possible it was set in a way that code-server did not pick it up? Are you just doing an ENV in the Dockerfile before launching code-server or something else?

[ParticleG]

Does that error appear in the browser logs or the remote logs? Request to the marketplace can be made both from the browser and the remote where code-server is running, so maybe one is configured properly but not the other.

But, it sounds like the error comes from the remote, in which case I would expect NODE_EXTRA_CA_CERTS to do the trick. Is it possible it was set in a way that code-server did not pick it up? Are you just doing an ENV in the Dockerfile before launching code-server or something else?

Thank you for the reply. I passed a single .crt file to NODE_EXTRA_CA_CERTS, which didn't work. It turns out that I should use export NODE_EXTRA_CA_CERTS=/etc/SSL/certs/ca-certificates.crt instead, which would work without any problem.

Does that error appear in the browser logs or the remote logs?

I tried both browsers and NodeJS. The browser can display the extension list and extension details, but when I click Install, it just throws this error. I assume the WebUI calls the NodeJS API to install the extension, so it just gives the same error as NodeJS.

Are you just doing an ENV in the Dockerfile before launching code-server or something else?

I'm using Terraform to create infrastructures, and there is one resource named coder_env which would add environmental variables to the agent (Which I guess just injects env into the docker container)

[code-asher]

It turns out that I should use export NODE_EXTRA_CA_CERTS=/etc/SSL/certs/ca-certificates.crt instead

Oh interesting! I wonder if the single .crt you were using was just the leaf or root cert or something. I think Node requires the full chain, now that I think about it. Glad you got it working!

I assume the WebUI calls the NodeJS API to install the extension

Yup, exactly. The list and details are done by calling the API directly from the browser, but the install happens on the backend.

[ParticleG]

It turns out that I should use export NODE_EXTRA_CA_CERTS=/etc/SSL/certs/ca-certificates.crt instead

Oh, interesting! I wonder if the single .crt you were using was just the leaf or root cert or something. Now that I think about it, Node requires the full chain. Glad you got it working!

I assume the WebUI calls the NodeJS API to install the extension

Yup, exactly. The list and details are done by calling the API directly from the browser, but the install happens on the backend.

Yes, that single .crt file is just the root CA; we also have an intermediate CA, so yes, it's not the full chain.