How do I get Visual Studio Code to trust our self-signed proxy certificate?

40
votes

Our corporate firewall/proxy is keeping VS Code from being able to install extensions because Code doesn't trust something in the chain. It doesn't reliably give an error, but when it does, it's this: "self signed certificate in certificate chain".

This seems like it's an OpenSSL error, but I don't have enough familiarity with OpenSSL to know how to trust the certificate?

5
opensslvisual-studio-code
It is not an error, it is a feature. Self-signed certificates are not to be trusted. This can be overridden in the code by adding as (risky) choice that the user can accept self-signed certificates.adlag
I'm behind a proxy. I don't have much choice but to accept whatever it's serving up.Devin Goble
code.visualstudio.com/Docs/supporting/faq#_proxy-server-support says in this case set "http.proxyStrictSSL": false -- did you do that?dave_thompson_085
@dave_thompson_085: Yes. I get the same error.Devin Goble
I tried the "http.proxyStrictSSL" just today and it worked for me.Mickaël Derriey

5 Answers

31
votes

This is a terrible answer (not very secure), but appears to be the current Microsoft official answer. Use "http.proxyStrictSSL": false in your settings.json file.

This should work to get around the issue of installing extensions inside a corporate network, but I'd recommend disabling the setting if you are going to be working from home/coffee shop and not connected to the corporate VPN.

https://github.com/Microsoft/vscode/issues/3492

14
votes

I was having the same issue, not when installing an extension, but when a certain extension was trying to download data. Adding "http.proxyStrictSSL": false to my settings file did not work. Disabling SSL is also a really bad idea.

The resolution was to install the Visual Studio Code win-ca plugin which makes trusted Windows certificates available to extensions.

4
votes

There is actually a better way:

Since VS Code is built on Chromium the "proxy settings should be picked up automatically" from Google Chrome/Chromium. So if you add your self-signed certificate in Chrome/Chromium by going to:

  1. chrome://settings/privacy
  2. Manage certificates
  3. Authorities / Import
  4. Select and import your certificate (pem-file)
  5. Restart VS Code

I was able to download VS Code extensions despite being behind a corporate proxy.

Remark: Ubuntu 18.04 and VS Code works only with Chrome and not Chromium.

3
votes

2020 answer for MacOS Catalina and possibly others: Make sure that the certificates are installed and trusted (I have them in the System category).

Then, go into settings, Application, Proxy, and UNCHECK the "System certificates" option. Restart vscode and RE-CHECK it. Restart again, and it works.

No idea why you have to do this, but it worked for me. I was very surprised. The error I was getting in the developer console (Help - toggle developer tools - console tab) was "self signed certificate in certificate chain".

1
votes

I had to add the corporate certificate as a root CA to my local NSS store to get this to work.

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>

See this GitHub issue for more info.