unable to verify the first certificate when install extension from local marketplace

[garylavayou]

Problem Description

I have deployed marketplace following the deployment guide. The service is up and I am able to add a collection of extensions (vsix files) to the marketplace. But I failed to download extension from the marketplace, following the Usage in code-server guide, the following error occurs.

export EXTENSIONS_GALLERY='{"serviceUrl":"https://<domain>/api", "itemUrl":"https://<domain>/item", "resourceUrlTemplate": "https://<domain>/files/{publisher}/{name}/{version}/{path}"}'
code-server

Error Details

Install with code-server CLI (/app/code-server/lib/vscode/bin/remote-cli/code-server):

#> {
#>   "type": "extensionManagement",
#>   "install": [
#>     "formulahendry.auto-close-tag"
#>   ],
#>   "force": false
#> }
#> Installing extensions on condapack.coderdev.com...
#> Installing extension 'formulahendry.auto-close-tag'...
#> Error while installing extension formulahendry.auto-close-tag: [object Object]
#> Failed Installing Extensions: formulahendry.auto-close-tag

Install with code-server:

/app/code-server/bin/code-server --verbose --install-extension formulahendry.auto-close-tag
#> [2024-06-06T00:47:48.148Z] debug Found VS Code arguments; spawning VS Code CLI
#> [2024-06-06T00:47:48.150Z] debug Running Code CLI
#> Installing extensions...
#> Error while installing extensions: unable to verify the first certificate
#> unable to verify the first certificate

In addition, if I try to install extension without launching code-service service when building image, the same error occurs. I think the code-service service is not related to extension installation. Is that right?

After launching the coder-server, I can see all the extensions I have added to the marketplace from the extensions management page and the extension page, if I click one of the extensions.

If I click the title on the extension detail page, I can see the extension's URL, like

https://marketplace.coderdev.com/item?itemName=formulahendry.auto-close-tag

where the domain is indeed my own host. But if I try to click "install" on the page, it still fails with the following log in the "Output" window of Code.

2024-06-06 08:58:27.074 [error] Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1600:34)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1017:8)
    at ssl.onhandshakedone (node:_tls_wrap:803:12)
2024-06-06 08:58:27.104 [error] unable to verify the first certificate: Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1600:34)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1017:8)
    at ssl.onhandshakedone (node:_tls_wrap:803:12)

which complains the same about "unable to verify the first certificate" as that of using code-server to install from terminal.

Potential Issue

The certificate of the deploy domain is not trusted by code-server CLI, and adding self-signed certificate/root CA certificate to the system's trust store has no effect.

I have added the root CA certificate to the code-server's host system (build into the container image), which can be verified by perform the following querying in code-server's terminal:

curl -v https://marketplace.coderdev.com/healthz
*   Trying 172.28.76.31:443...
* Connected to marketplace.coderdev.com (172.28.76.31) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
# ...... omitted TLS handshake
*  SSL certificate verify ok.
# ......
> GET /healthz HTTP/2
> Host: marketplace.coderdev.com
> user-agent: curl/7.81.0
> accept: */*
# ......
< HTTP/2 200 
< build-version: 6fb4e72
< content-type: text/plain; charset=utf-8
< date: Thu, 06 Jun 2024 01:03:46 GMT
< vary: Origin
< x-coder-request-id: 59f86788-766e-4107-b9fd-928185d7db2f
< x-ratelimit-limit: 512
< x-ratelimit-remaining: 511
< x-ratelimit-reset: 1717635840
< content-length: 18
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host marketplace.coderdev.com left intact
API server running

So, why code-server CLI cannot trust the certificate of my domain marketplace.coderdev.com?

Deployment details

images:

• customized code-server image based on linuxserver/code-server:4.89.1.

  code-server --version
  #> 1.89.1
  #> effc6e95b4ad1c5ac5f9083ec06663ba4a2e005c
  #> x64
  

• customized code-server image based on codercom/code-server:4.89.1.

• customized code-marketplace image based on debian/bookworm. code-marketplace is installed and started following the official guide.

[code-asher]

Could you try setting NODE_EXTRA_CA_CERTS and point it to the certificate bundle? I think there might be a bug upstream in VS Code web where it does not read the system-installed certificates.

For example:

NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt /app/code-server/bin/code-server --verbose --install-extension formulahendry.auto-close-tag

[garylavayou]

@code-asher problem solved!

printenv NODE_EXTRA_CA_CERTS 
#> /etc/ssl/certs/ca-certificates.crt
code-server --verbose --install-extension formulahendry.auto-close-tag
#> {
#>   "type": "extensionManagement",
#>   "install": [
#>     "formulahendry.auto-close-tag"
#>   ],
#>   "force": false
#> }
#> Installing extensions on condapack.coderdev.com...
#> Installing extension 'formulahendry.auto-close-tag'...
#> Extension 'formulahendry.auto-close-tag' v0.5.15 was successfully installed.

After specifying the certificate, I can install extensions from CLI and the Code extension page.