Request to Nexus failed, reason: certificate has expired

[javimsevilla]

Summary

I have recently updated the Nexus OSS version to 3.36.0-01. Since then, Private Extensions Manager shows an error every time it tries to connect to the NPM registry to get the list of packages. This does not happen with the previous version of Nexus (I have already checked).

Visual proof

Expected results

I expected to see the list of packages from my Nexus registry in the "Extensions" view of Private Extensions Manager.

Actual results

The Private Extensions Manager "Extensions" view is empty and throws an error:

request to https://nexus.myCompanyName.com/repository/npm-group/-/v1/search?text=*&size=20&from=0&quality=0.65&popularity=0.98&maintenance=0.5 failed, reason: certificate has expired

Steps to reproduce

1. Install the Private Extensions Manager extension v1.7.0.
2. Set up an NPM registry at User Settings.
3. Open the "Extensions" view of Private Extensions Manager.
4. The error appears.
5. Press the "Refresh" button.
6. The error appears again.

Environment

// VS Code User Settings
{
  // ...,
  "privateExtensions.registries": [
    {
      "name": "Nexus Group Registry",
      "registry": "https://nexus.myCompanyDomain.com/repository/npm-group/",
      // Token generated with: $ npm adduser --registry="https://nexus.myCompanyDomain.com/repository/npm-group/"
      "token": "NpmToken.f0819d88-d45f-431f-873b-0cb32157fa32"
    }
  ],
}

Name	Version
VS Code	Version: 1.62.3 (user setup) Commit: ccbaa2d27e38e5afa3e5c21c1c7bef4657064247 Date: 2021-11-17T08:11:14.551Z (1 wk ago) Electron: 13.5.2 Chrome: 91.0.4472.164 Node.js: 14.16.0 V8: 9.1.269.39-electron.0 OS: Windows NT x64 10.0.19042
Nexus	Sonatype Nexus Repository Manager OSS 3.36.0-01
Private Extensions Manager	v1.7.0 (also tested with previous versions; same error)

Console logs

Other info

I have tried the following:

1. Created an empty NPM project.
2. npm install libnpmsearch@^2.0.2 npm-registry-fetch@^4.0.7 (versions from Private Extensions Manager v1.7.0 package.json at commit b95273de)
3. Created two files: libnpmsearch-test.js and npm-registry-fetch-test.js
4. Execute node libnpmsearch-test.js → Returns the expected list of packages from the registry.
5. Execute node npm-registry-fetch-test.js → Returns the expected list of packages from the registry.

// libnpmsearch-test.js
const npmSearch = require("libnpmsearch");

npmSearch("*", {
  registry: "https://nexus.myCompanyName.com/repository/npm-group/",
  token: "NpmToken.f0819d88-d45f-431f-873b-0cb32157fa32"
}).then(console.log, console.error);

// npm-registry-fetch-test.js
const npmFetch = require("npm-registry-fetch");

npmFetch
  .json(
    "/-/v1/search?text=*&size=20&from=0&quality=0.65&popularity=0.98&maintenance=0.5",
    {
      registry: "https://nexus.myCompanyName.com/repository/npm-group/",
      token: "NpmToken.f0819d88-d45f-431f-873b-0cb32157fa32"
    }
  )
  .then(console.log, console.error);

[joelspadin-garmin]

It appears to be complaining about your TLS/SSL certificate being expired. I assume that it isn't given the tests you described appeared to work?

Are you using anything like win-ca that might cause the behavior of libnpmsearch/npm-registry-fetch to differ between running in VS Code and running in Node?

[javimsevilla]

This is weird ... I've tried this (again, just in case...):

1. Created empty NPM project → npm init -y
2. Installed libnpmsearch@^2.0.2 → npm i -S libnpmsearch@^2.0.2
3. Created index.js file (see below).
4. Execute index.js with Node → node .
5. Works as expected (returns Nexus packages list). ✅

const npmsearch = require("libnpmsearch");
npmsearch("*", {
  registry: "https://nexus.myCompanyName.com/repository/npm-group/",
  token: "NpmToken.f0819d88-d45f-431f-873b-0cb32157fa32"
}).then(console.log, console.error);

Then, I've tried this...

1. Created new VS Code extension from scratch → yo code.
2. Installed libnpmsearch@^2.0.2 and types → npm i -S libnpmsearch@^2.0.2 @types/libnpmsearch@^2.0.2
3. Created an extension command "Search Nexus".

// package.json
{
  // ...
  "activationEvents": [
    "onCommand:sample-extension.searchNexus"
  ],
  // ...
  "contributes": {
    "commands": [
      {
        "command": "sample-extension.searchNexus",
        "title": "Search Nexus"
      }
    ]
  },
  // ...
}

3. Implemented the command.

// src/extension.ts
import * as npmsearch from "libnpmsearch";
import * as vscode from "vscode";

export function activate(context: vscode.ExtensionContext) {
  let disposable = vscode.commands.registerCommand("example-extension.searchNexus", async () => {
    try {
      const response = await npmsearch("*", {
        registry: "https://nexus.myCompanyName.com/repository/npm-group/",
        token: "NpmToken.f0819d88-d45f-431f-873b-0cb32157fa32"
      });
      console.log(response);
      void vscode.window.showInformationMessage("Search successfull.");
    } catch (error) {
      console.error(error);
      void vscode.window.showErrorMessage((error as Error).message);
    }
  });

  context.subscriptions.push(disposable);
}

4. Disable other extensions while debugging current extension:

// .vscode/launch.json
{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Run Extension",
      "type": "extensionHost",
      "request": "launch",
      "args": [
+       "--disable-extensions",
        "--extensionDevelopmentPath=${workspaceFolder}"
      ],
      "outFiles": ["${workspaceFolder}/out/**/*.js"],
      "preLaunchTask": "${defaultBuildTask}"
    },
    {
      "name": "Extension Tests",
      "type": "extensionHost",
      "request": "launch",
      "args": [
        "--extensionDevelopmentPath=${workspaceFolder}",
        "--extensionTestsPath=${workspaceFolder}/out/test/suite/index"
      ],
      "outFiles": ["${workspaceFolder}/out/test/**/*.js"],
      "preLaunchTask": "${defaultBuildTask}"
    }
  ]
}

5. Compile extension → npm run compile
6. Ran the extension → (Main menu) Run > Start Debugging F5
7. All other extensions disabled. Executed "Search Nexus" command. Failed (certificate error). ❌

Finally, tried this:

1. Cloned this repo → git clone https://github.com/joelspadin-garmin/vscode-private-extension-manager.git
2. Added --disable-extensions argument to launch configuration as earlier.
3. Compiled extension → npm run compile
4. Ran the extension → (Main menu) Run > Start Debugging F5
5. Configure extension registries:

// settings.json (User)
{
  // ...
  "privateExtensions.registries": [
    {
      "name": "MyCompany Group Registry",
      "registry": "https://nexus.myCompanyName.com/repository/npm-group/",
      "token": "NpmToken.f0819d88-d45f-431f-873b-0cb32157fa32"
    }
  ],
  // ...

6. Opened Private Extensions view. Error occurred ❌ (certificate error). After first error, I had to press the refresh button to see the error again like in the gif below.

It seems that it's not a bug of Private Extensions Manager. It seems to be a security problem between the NPM libraries and my Nexus. Do you have any idea how I can fix it? Your help would be greatly appreciated, I'm a bit confused about this. Thank you in advance 😅

[joelspadin-garmin]

So simply running npmsearch() within the context of a VS Code extension causes it to fail? I can't think of any reasons that would cause a problem off the top of my head. You could maybe try using Wireshark to compare the network traffic between the two scenarios.

[javimsevilla]

I found something about this error in this vscode issue and this node-fetch issue.

It seems that some root expired certificate causes the problem with previous versions of Electron v15.1.0

There are some workarounds in this comment and this other in the previous issue that works in my simple vscode extension from my original comment in this issue, but it is not a problem with the Private Extensions Manager extension at all.

I'm afraid I will have to wait for the Electron update in VSCode unless you consider one of these workarounds for your extension. But since it is something that can compromise security (I don't know how, because I have no experience with security topics) I guess it is something you do not want to add.

Thank you very much.