-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System Certificates: Support trusted intermediate CAs #177139
Comments
Do either you have a corporate proxy in effect on your machine? @AdmiralrRicha do you have the same error in the |
I'm not sure, how shall I verify with the Microsoft Authentication output? @8ueye8 I do see the same error message pop up. ('Network failure'.) |
No VPN's that I know of were active at the time. There may be a corporate proxy in the background but that shouldn't be an issue since I was able to login before on my previous laptop. The issue only started when I was issued a new laptop and tried to login and sync my settings. |
In my case I logged in succesfully and actualy automatically when I first install VS code to my machine. It only happens when I logged out and try to log back in. |
I've resolved this issue by reimaging by PC with Windows 10, signing in and then upgrading to Windows 11. I know it's not the best solution but hopefully helps diagnose the issue. When I previously encountered the issue, I had just reset the laptop from within Windows 11 and tried to sign in once the reset was done. Maybe it's a Win10 vs Win11 issue? |
I can't reimage my system as I'm running a corporate system, rebuild will lose everything. It acquired the login successfully in the initial try, but failed in the following attempts. If it succeeded once, it should have no permission issue. When it failed in the second attempt, maybe it was looking at the wrong plate? I mean for the authorization process. |
Do you have any proxy-related settings set in VS Code? Do you have a system environment variable like |
@8ueye8 "certificate has expired" suggests that you have an old certificate in the root certificates registered with your OS (or it is part of the built-in certificates in Electron). Could you try opening |
I try it,but it`s not work... 1.I set edge to default Web browser; Maybe because I sign with win 11?My own PC is win 10,My company PC with win 11 and I can sign success. |
As I mentioned earlier, I resolved my issue when I reimaged my device. https://login.microsoftonline.com/ worked for me on edge when I had the issue. |
Some other proxy related ideas: #160649 (comment) |
I have tried #160649 (comment) |
@MH-ABE would you mind trying out @chrmarti's proxy debugging extension: and let me know how it goes |
Certainly @TylerLeonhardt, here is the output:
|
@MH-ABE This looks like we don't pick up your company's CA up from the OS. Which OS are you on? Could you check if and where the company's CA is registered in the OS? |
@chrmarti Im on Windows_NT x64 10.0.19044 and we use Edge. |
@MH-ABE Could you update the Network Proxy Test extension to the latest version (0.0.3) and run |
@chrmarti Sure, Cant find most of these intermediate CAs in the test output: |
Make sure you have the last one in the chain |
I cannot move them, access denied. I don't think IT want people messing with the certs ;) Any other way I can get them to the right place? |
Can you export them (context menu on the cert > |
@MH-ABE Looking at it again, I would expect The certificate chain you posted in #177139 (comment) suggests that the (transparent?) proxy you are are connecting through did not send the full certificate chain. Browsers seem to handle this more gracefully than Node.js. Could you check with your IT if this is true and if they could change that to be the full certificate chain? |
@chrmarti
I don't know a lot about CAs, but this intermediate cert folder seems like a standard use, right? Would it be possible for VSCode to also import this folder? Unless of course it is only my company doing it this way. Thanks for your assistance! TLDR; If you can't login due to CAs, move relevant intermediate certs to the root folder using |
The discussion at https://security.stackexchange.com/a/72085 makes me think that it would be best for your proxy to return the complete certificate chain (the root certificate may be omitted from what I understand). We could improve our client implementation by also using the trusted intermediate CAs from the Windows credential store, but going by https://learn.microsoft.com/en-us/answers/questions/882257/revoked-certificate-shows-as-valid-in-the-certific, we would have to use |
Type: Bug
VS Code version: Code 1.76.1 (5e805b7, 2023-03-08T16:32:00.131Z)
OS version: Windows_NT x64 10.0.19044
Modes:
Sandboxed: No
System Info
canvas_oop_rasterization: disabled_off
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
skia_renderer: enabled_on
video_decode: enabled
video_encode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: disabled_off
Extensions (8)
(7 theme extensions excluded)
A/B Experiments
The text was updated successfully, but these errors were encountered: