Unable to verify the first certificate

[cschyma]

I am getting the following error message right after entering the basic configuration (url, user, pwd). There is no output at the output / JFrog console.

VSCode 1.42.1
JFrog Visual Studio Code Extension 1.1.1
Windows 10 1803

[yahavi]

Thanks for reporting this issue, @cschyma! We are looking into it.
Does your Xray server use self signed certificates?

[cschyma]

Yes it does. But Root CA certificates are imported to the Windows trust store.

Interestingly it does work running VS Code with Ubuntu.

[yahavi]

Could be related to this: https://arstechnica.com/information-technology/2020/01/patch-windows-10-and-server-now-because-certificate-validation-is-broken

Can you please try to install the latest Windows updates?

[cschyma]

Thanks, but https://support.microsoft.com/de-de/help/4534293/windows-10-update-kb4534293 has already been installed.

[yahavi]

Thanks for sharing this information!
In that case, we may try to bump the Axios client in the next release from 0.19.0 to 0.19.2.
They have a long list of fixes: https://github.com/axios/axios/blob/master/CHANGELOG.md#0192-jan-20-2020. Hopefully, one of them will resolve this issue.

We can, however, consider to support bypassing SSL certificates validation. Please let me know if you think it's necessary.

[cschyma]

Thanks, I do not need bypassing SSL certificate validation. Please give the Axios client update a try.

[yahavi]

@cschyma,
JFrog VS-Code extension 1.1.2 is released.
This release includes an update to Axios client 0.19.2: 8c014fd#diff-32607347f8126e6534ebc7ebaec4853dR172.

Feel free to upgrade. We'll appreciate your feedback for that!

[cschyma]

Unfortunately I still get the same error message with 1.1.2.

Is there a way to get more details about this error? What exactly is the first certificate? What cannot be verified?

[yahavi]

Thanks for your feedback.
I found a good explanation in SO: https://stackoverflow.com/a/60020493/4233342.

I wonder if win-ca may help. According to their README:

Special extension for VS Code was created to import win-ca in context of VS Code's Extension Host.

Since all VS Code extensions share the same process, root certificates imported by one of them are immediately available to others. This can allow VS Code extensions to connect to (properly configured) intranet sites from Windows machines.

Can you please try this out?
If it works, we'll add it to the documentation.

[cschyma]

Still no success.

We are not using self-signed certificates for the Artifactory server. Also I tried it with only the JFrog extension installed.

[yahavi]

We are not using self-signed certificates for the Artifactory server

JFrog VS-Code extension uses direct APIs to Xray. Artifactory does not stand between them.

You probably did it, but I'm just making sure - Did you reload VS-Code after installing win-ca?

[cschyma]

Yes, I did reload it.

Xray is using a self-signed certificate, meaning it is signed by our local CA. CA certs are installed at the Windows cert store.

[cschyma]

Two more things that could be of interest:

• the Visual Studio extension is working without such an issue
• with Fiddler proxiing the HTTPS traffic the VSCode extension is working as expected

[cschyma]

I did solve my issue by fixing the certificate file I am using at the Xray server. It was missing the intermediate CA certificates. Check https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce for more background.

Interestingly this VSCode Extension was the first to complain about it. For Artifactory it seems to be alright.

[yahavi]

Thanks for this information, @cschyma. So glad to hear that this issue is resolved!
I pinned this issue to help others.