Cannot add certificates to VSCode's list of trusted certificates with the .deb package

[fbauzac]

Type: Bug

Version: 1.89.1
Commit: dc96b83
Date: 2024-05-07T05:16:23.416Z
Electron: 28.2.8
ElectronBuildId: 27744544
Chromium: 120.0.6099.291
Node.js: 18.18.2
V8: 12.0.267.19-electron.0
OS: Linux x64 6.5.0-35-generic

Hello,

For security purposes, my company uses a transparent SSL/TLS
inspection (not a regular explicit HTTP proxy! there is no proxy to
configure, or https_proxy environment variable to set!), which means
that we have to add a certificate to all the trustlists of all
software we use. Why? Because if we don't do that for e.g. VSCode,
then whenever VSCode tries to access the internet through https,
VSCode's TLS layer will in fact hit the https of the "transparent"
inspection, and NOT trust it. And as this is for security, we won't
disable certificate verification.

In my case, I have installed VSCode through the .deb package. I have
installed some open-source extension written in TypeScript; here, it's
Red Hat Dependency Analysis, for which you can find the source code
here:

https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/tree/master

I suspect it runs directly under VSCode's nodejs process, and
therefore that it reuses VSCode's list of trusted certificates. I
guess any similar extension will yield the same symptoms:

request to https://rhda.rhcloud.com/api/v4/analysis failed, reason:
self signed certificate in certificate chain.
Source: Red Hat Dependency Analysis

First, is there a way to obtain VSCode's list of trusted certificates,
so that at least I can progress in my investigation of this issue?

Also, where is this list stored?

Is there a simpler test I can do in my investigations to check whether
VSCode's Nodejs engine can access https addresses without certificate
errors?

In any case, if the VSCode package does not use the operating system's
list of trusted certificates but its own list, I think there should be
a way for users to add a certificate to that list. This is the main
point of this ticket.

Thanks!

Best regards
Fabrice

VS Code version: Code 1.89.1 (dc96b83, 2024-05-07T05:16:23.416Z)
OS version: Linux x64 6.5.0-35-generic
Modes:

System Info

Item	Value
CPUs	12th Gen Intel(R) Core(TM) i7-1280P (20 x 3183)
GPU Status	2d_canvas: enabled canvas_oop_rasterization: disabled_off direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_graphite: disabled_off video_decode: enabled video_encode: disabled_software vulkan: disabled_off webgl: enabled webgl2: enabled webgpu: disabled_off
Load (avg)	0, 0, 0
Memory (System)	31.03GB (14.73GB free)
Process Argv	. --crash-reporter-id 1a896f9b-a758-44dd-8e70-07cb0f3aef5e
Screen Reader	no
VM	0%
DESKTOP_SESSION	ubuntu
XDG_CURRENT_DESKTOP	Unity
XDG_SESSION_DESKTOP	ubuntu
XDG_SESSION_TYPE	wayland

Extensions (19)

Extension	Author (truncated)	Version
vscode-postgres	cko	1.4.3
go	gol	0.41.4
debugpy	ms-	2024.6.0
python	ms-	2024.6.0
vscode-pylance	ms-	2024.5.1
fabric8-analytics	red	0.9.4
java	red	1.30.0
vscode-xml	red	0.26.1
intellicode-api-usage-examples	Vis	0.2.8
vscodeintellicode	Vis	1.3.1
vscode-boot-dev-pack	vmw	0.2.1
vscode-spring-boot	vmw	1.54.0
vscode-java-debug	vsc	0.57.0
vscode-java-dependency	vsc	0.23.6
vscode-java-pack	vsc	0.26.0
vscode-java-test	vsc	0.41.1
vscode-maven	vsc	0.44.0
vscode-spring-boot-dashboard	vsc	0.13.1
vscode-spring-initializr	vsc	0.11.2

A/B Experiments

vsliv368:30146709
vspor879:30202332
vspor708:30202333
vspor363:30204092
tftest:31042121
vscod805:30301674
binariesv615:30325510
vsaa593:30376534
py29gd2263:31024239
c4g48928:30535728
azure-dev_surveyone:30548225
962ge761:30959799
pythongtdpath:30769146
welcomedialog:30910333
pythonidxpt:30866567
pythonnoceb:30805159
asynctok:30898717
pythontestfixt:30902429
pythonregdiag2:30936856
pythonmypyd1:30879173
pythoncet0:30885854
2e7ec940:31000449
pythontbext0:30879054
accentitlementsc:30995553
dsvsc016:30899300
dsvsc017:30899301
dsvsc018:30899302
cppperfnew:31000557
dsvsc020:30976470
pythonait:31006305
chatpanelt:31048053
dsvsc021:30996838
da93g388:31013173
pythoncenvpt:31049070
fchga941:31046352
pythonprt:31047983
dwnewjupyter:31046869
26j00206:31048877

[chrmarti]

For extensions the certificates are read from the first of these files that exists:

	'/etc/ssl/certs/ca-certificates.crt', // Debian / Ubuntu / Alpine / Fedora
	'/etc/ssl/certs/ca-bundle.crt', // Fedora
	'/etc/ssl/ca-bundle.pem', // OpenSUSE

[fbauzac]

OK, problem found: one of the OS-level certificates had \r\n line endings. Converting to UNIX style fixed the issue.
I'm closing this issue. Sorry for the noise!