Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

System Certificates: Support trusted intermediate CAs #177139

Open
AdmiralrRicha opened this issue Mar 14, 2023 · 26 comments
Open

System Certificates: Support trusted intermediate CAs #177139

AdmiralrRicha opened this issue Mar 14, 2023 · 26 comments
Assignees
Labels
feature-request Request for new features or functionality proxy Issues regarding network proxies
Milestone

Comments

@AdmiralrRicha
Copy link

Type: Bug

  1. Log into a company account in Windows
  2. Click Account icon, choose "Sign in to sync settings"
  3. In the pop-up window, choose the account you already logged in
  4. It says "You are signed in now and can close this page."
  5. Nothing changed, you are still not logged in.

VS Code version: Code 1.76.1 (5e805b7, 2023-03-08T16:32:00.131Z)
OS version: Windows_NT x64 10.0.19044
Modes:
Sandboxed: No

System Info
Item Value
CPUs Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz (16 x 2400)
GPU Status 2d_canvas: enabled
canvas_oop_rasterization: disabled_off
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
skia_renderer: enabled_on
video_decode: enabled
video_encode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: disabled_off
Load (avg) undefined
Memory (System) 31.75GB (17.62GB free)
Process Argv --crash-reporter-id ccb873f8-d593-4eb5-bc2f-906204f79c83
Screen Reader no
VM 0%
Extensions (8)
Extension Author (truncated) Version
monokai-charcoal-high-contrast 74t 3.4.0
jsonviewer cci 1.3.2
format-json Cle 1.0.3
terraform has 2.25.4
prettify-json moh 0.0.3
vscode-docker ms- 1.24.0
remote-containers ms- 0.282.0
color-highlight nau 2.5.0

(7 theme extensions excluded)

A/B Experiments
vsliv368cf:30146710
vsreu685:30147344
python383cf:30185419
vspor879:30202332
vspor708:30202333
vspor363:30204092
vslsvsres303:30308271
pythonvspyl392:30443607
vserr242cf:30382550
pythontb:30283811
vsjup518:30340749
pythonptprofiler:30281270
vshan820:30294714
vstes263:30335439
vscoreces:30445986
pythondataviewer:30285071
vscod805:30301674
binariesv615:30325510
bridge0708:30335490
bridge0723:30353136
cmake_vspar411:30581797
vsaa593cf:30376535
pythonvs932:30410667
cppdebug:30492333
vsclangdf:30486550
c4g48928:30535728
dsvsc012cf:30540253
pynewvextcfv2:30681851
azure-dev_surveyone:30548225
pyindex848:30662994
nodejswelcome1cf:30587006
3biah626:30602489
pyind779:30671433
f6dab269:30613381
vscrp:30673768
pythonsymbol12:30671437
6233i204:30672705
vsccsb:30677849
funwalk2cf:30682975
pythonms35cf:30686773

@8ueye8
Copy link

8ueye8 commented Mar 16, 2023

I have the same issue, also on a company account. I see this error in the logs:
MicrosoftTeams-image

@TylerLeonhardt
Copy link
Member

TylerLeonhardt commented Mar 17, 2023

Do either you have a corporate proxy in effect on your machine? @AdmiralrRicha do you have the same error in the Microsoft Authentication Output?

@TylerLeonhardt TylerLeonhardt added the info-needed Issue requires more information from poster label Mar 17, 2023
@AdmiralrRicha
Copy link
Author

AdmiralrRicha commented Mar 20, 2023

I'm not sure, how shall I verify with the Microsoft Authentication output?
I do have a corporate proxy/VPN and that comes along with the AD account. But the problem is, I was able to log in initially right after VS code got installed, but when I tried sign off, and sign in again, this issue happened.

@8ueye8 I do see the same error message pop up. ('Network failure'.)

@8ueye8
Copy link

8ueye8 commented Mar 20, 2023

No VPN's that I know of were active at the time. There may be a corporate proxy in the background but that shouldn't be an issue since I was able to login before on my previous laptop. The issue only started when I was issued a new laptop and tried to login and sync my settings.

@AdmiralrRicha
Copy link
Author

No VPN's that I know of were active at the time. There may be a corporate proxy in the background but that shouldn't be an issue since I was able to login before on my previous laptop. The issue only started when I was issued a new laptop and tried to login and sync my settings.

In my case I logged in succesfully and actualy automatically when I first install VS code to my machine. It only happens when I logged out and try to log back in.

@WyjCC
Copy link

WyjCC commented Mar 28, 2023

I have the same issue, also on a company account. I see this error in the logs: MicrosoftTeams-image

I have a same issue too.In my company PC,I can sign success with Microsoft AD;Bug in my own PC,I can't sign.

@8ueye8
Copy link

8ueye8 commented Mar 28, 2023

I've resolved this issue by reimaging by PC with Windows 10, signing in and then upgrading to Windows 11. I know it's not the best solution but hopefully helps diagnose the issue.

When I previously encountered the issue, I had just reset the laptop from within Windows 11 and tried to sign in once the reset was done.

Maybe it's a Win10 vs Win11 issue?

@AdmiralrRicha
Copy link
Author

I can't reimage my system as I'm running a corporate system, rebuild will lose everything. It acquired the login successfully in the initial try, but failed in the following attempts. If it succeeded once, it should have no permission issue. When it failed in the second attempt, maybe it was looking at the wrong plate? I mean for the authorization process.

@TylerLeonhardt
Copy link
Member

Do you have any proxy-related settings set in VS Code? Do you have a system environment variable like HTTP_PROXY set?

@chrmarti
Copy link
Collaborator

I have the same issue, also on a company account. I see this error in the logs:
MicrosoftTeams-image

@8ueye8 "certificate has expired" suggests that you have an old certificate in the root certificates registered with your OS (or it is part of the built-in certificates in Electron). Could you try opening https://login.microsoftonline.com/ with the Edge browser (to see if it connects, this might also update the root certificate in the OS, not sure if other browsers would do that) and then retry?

@WyjCC
Copy link

WyjCC commented Mar 30, 2023

HTTP_PROXY

I try it,but it`s not work...

1.I set edge to default Web browser;
2. opning https://login.microsoftonline.com/ with edge;
3.open vscode and sign with microsof AD successful on edge;
4.back to vscode and get the same error;

Maybe because I sign with win 11?My own PC is win 10,My company PC with win 11 and I can sign success.

@8ueye8
Copy link

8ueye8 commented Mar 30, 2023

I have the same issue, also on a company account. I see this error in the logs:
MicrosoftTeams-image

@8ueye8 "certificate has expired" suggests that you have an old certificate in the root certificates registered with your OS (or it is part of the built-in certificates in Electron). Could you try opening https://login.microsoftonline.com/ with the Edge browser (to see if it connects, this might also update the root certificate in the OS, not sure if other browsers would do that) and then retry?

As I mentioned earlier, I resolved my issue when I reimaged my device. https://login.microsoftonline.com/ worked for me on edge when I had the issue.

@TylerLeonhardt
Copy link
Member

Some other proxy related ideas: #160649 (comment)

@MH-ABE
Copy link

MH-ABE commented Apr 3, 2023

I have tried #160649 (comment)
And checked my environment variables with nothing there. Still cannot login to GitHub, but my MS account works fine.

@TylerLeonhardt
Copy link
Member

@MH-ABE would you mind trying out @chrmarti's proxy debugging extension:
microsoft/vscode-remote-release#8248 (comment)

and let me know how it goes

@MH-ABE
Copy link

MH-ABE commented Apr 4, 2023

Certainly @TylerLeonhardt, here is the output:

Settings: (Let me know if I need to test other settings)
- http.proxy: 
- http.proxyAuthorization: null
- http.proxyStrictSSL: true
- http.proxySupport: off
  - globalValue: off
- http.systemCertificates: true

Environment variables:

Sending GET request to https://containers.dev/static/devcontainer-index.json...
vscode-proxy-agent: DIRECT
Received error: unable to get local issuer certificate

Sending GET request to https://containers.dev/static/devcontainer-index.json (allowing unauthorized)...
vscode-proxy-agent: DIRECT
Received response code: 200
Certificate chain:
- Subject: containers.dev
  Subject alt: DNS:containers.dev, DNS:www.containers.dev
  Validity: Mar 22 19:22:30 2023 GMT - Jun 20 19:22:29 2023 GMT
  Fingerprint: 28:F2:4F:7A:Bxxxxxxxxxxxxxxxxxxx
- Subject: gk-de-hub
  Subject alt: DNS:gk-de-hub
  Validity: Jun 25 11:52:11 2021 GMT - Nov 29 00:41:25 2025 GMT
  Fingerprint: 63:47:BF:FC:CD:xxxxxxxxxxxxxxxxxxxxxxxxxxx
  Issuer certificate not found: mhsca (<- looks like the company CA)

@chrmarti
Copy link
Collaborator

chrmarti commented Apr 4, 2023

@MH-ABE This looks like we don't pick up your company's CA up from the OS. Which OS are you on? Could you check if and where the company's CA is registered in the OS?

@MH-ABE
Copy link

MH-ABE commented Apr 4, 2023

@chrmarti Im on Windows_NT x64 10.0.19044 and we use Edge.
I can see the company root cert in certmgr.msc, and mhsca is an intermediate CA. Hope that answers your question, otherwise let me know where to look.
Thanks

@chrmarti
Copy link
Collaborator

chrmarti commented Apr 4, 2023

@MH-ABE Could you update the Network Proxy Test extension to the latest version (0.0.3) and run F1 > Network Proxy Test: Show OS Certificates to see if that certificate is loaded from the OS?

@MH-ABE
Copy link

MH-ABE commented Apr 4, 2023

@chrmarti Sure,
image
mhrca: found
mhsca: not found
gk-de-hub: not found
Probably best to send the full list privately?

Cant find most of these intermediate CAs in the test output:
image

@chrmarti
Copy link
Collaborator

chrmarti commented Apr 4, 2023

Make sure you have the last one in the chain mhsca in the Trusted Root Certification Authorities ("Betrodda rotcertifikatutfärdare" I guess).

@MH-ABE
Copy link

MH-ABE commented Apr 4, 2023

I cannot move them, access denied. I don't think IT want people messing with the certs ;) Any other way I can get them to the right place?

@chrmarti
Copy link
Collaborator

chrmarti commented Apr 4, 2023

Can you export them (context menu on the cert > All Tasks > Export...) and then import (context menu on Trusted Root Certification Authorities > All Tasks > Import...) them?

@chrmarti
Copy link
Collaborator

chrmarti commented Apr 5, 2023

@MH-ABE Looking at it again, I would expect mhrca to also be in the Trusted Root Certification Authorities (I think the browser would otherwise complain). Could you check again?

The certificate chain you posted in #177139 (comment) suggests that the (transparent?) proxy you are are connecting through did not send the full certificate chain. Browsers seem to handle this more gracefully than Node.js. Could you check with your IT if this is true and if they could change that to be the full certificate chain?

@MH-ABE
Copy link

MH-ABE commented Apr 5, 2023

@chrmarti mhrca is in the TRCA folder, and it is picked up by your test plugin. Seems to be doubled up since its in the intermediate folder too.

Export worked fine, but it seems that the root folder is write protected so the import failed.
I did manage this eventually, I had been using certlm.msc now I tried certmgr.msc but I also only moved the specific intermediate only certs and not all of the company ones in the intermediate folder. Don't know what solved it, but in any case I cannot overwrite existing certs but am able to add new ones to the root folder.
So when trying to login to GitHub in VSCode now with the intermediate certs also in the root folder, it works!

I don't know a lot about CAs, but this intermediate cert folder seems like a standard use, right? Would it be possible for VSCode to also import this folder? Unless of course it is only my company doing it this way.

Thanks for your assistance!

TLDR; If you can't login due to CAs, move relevant intermediate certs to the root folder using certmgr.msc.

@chrmarti
Copy link
Collaborator

chrmarti commented Apr 5, 2023

The discussion at https://security.stackexchange.com/a/72085 makes me think that it would be best for your proxy to return the complete certificate chain (the root certificate may be omitted from what I understand).

We could improve our client implementation by also using the trusted intermediate CAs from the Windows credential store, but going by https://learn.microsoft.com/en-us/answers/questions/882257/revoked-certificate-shows-as-valid-in-the-certific, we would have to use certutil to make sure revocations are applied.

@chrmarti chrmarti changed the title Cannot sign in with AD account(SSO) System Certificates: Support trusted intermediate CAs Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Request for new features or functionality proxy Issues regarding network proxies
Projects
None yet
Development

No branches or pull requests

6 participants