Self-signed certificate error when installing Python support in WSL in spite of custom root certificate correctly installed in WSL

Hello! I’ve developed a work around.

The core issue here seems to be that the certificate store passed by NodeJS running the back-end server to the OpenSSL library it uses to deal with encryption is not the linux system certificate store updated by update-ca-certificates. However, NodeJS has an environment variable configuration option NODE_EXTRA_CA_CERTS in which we can pass it the custom certificate. We can setup this environment variable in ~/.vscode-server/server-env-setup in WSL.

Something like this works

echo "export NODE_EXTRA_CA_CERTS=<PATH TO SELF SIGNED ROOT>" >>  ~/.vscode-server/server-env-setup

However, ideally the solution should be to have NodeJS use the system certificate store

@chrmarti and @sandy081 Can you again look into that. It seems to be pop up again with the 1.62 version of VS Code (tough with all extension, not just the python). I have tested it by rolling back to 1.61.2 and then I can install all extensions again in WSL. But then as soon as update to 1.62 the installation of any extension in WSL fails. (The version “Remote - WSL” extensions is in both cases still the same same version - 0.58.5) When looking into the log it is quite obvious what happens different:

In version 1.61.2 the cert error also happens but then it automatically downloads the extensions locally instead (line 1 & 2):

[2021-11-05 14:12:42.022] [renderer1] [error] Error while installing 'dbaeumer.vscode-eslint' extension in the remote server. self signed certificate in certificate chain**
[2021-11-05 14:12:42.022] [renderer1] [info] Downloading the 'dbaeumer.vscode-eslint' extension locally and install
[2021-11-05 14:12:42.067] [renderer1] [info] Downloaded extension: dbaeumer.vscode-eslint /c:/Users/j0f3/AppData/Local/Temp/1e84c682-6562-432a-8e63-78d8303469ef
[2021-11-05 14:12:43.133] [renderer1] [info] Successfully installed 'dbaeumer.vscode-eslint' extension

But now with version 1.62 the process just stops at the cert error:

[2021-11-05 14:14:53.702] [renderer1] [error] ["Error: self signed certificate in certificate chain","    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)","    at TLSSocket.emit (events.js:315:20)","    at TLSSocket._finishInit (_tls_wrap.js:932:8)","    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)"]
[2021-11-05 14:14:53.714] [renderer1] [error] self signed certificate in certificate chain: Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)

I can workaround it for now by settings the remote.downloadExtensionsLocally setting to true or by using the method @gbeal-smsc has describe above. But while looking at the solution from @gbeal-smsc I think it would be the best if the vscode-server would somehow automatically inherit the NODE_EXTRA_CA_CERTS environment variable if it is set in WSL already. Because of our corporate Proxy with TLS-Inspection I have to set the NODE_EXTRA_CA_CERTS environment variable anyway in WSL but it is then not very intuitive that the vscode-server does not know anything about it by default.

So not sure which one would actually be the “correct” solution but I think either the extension installation process should automatically fail back again to local download (as it was in 1.61.2) or the vscode-server should automatically pickup the NODE_EXTRA_CA_CERTS environment variable if it is set in WSL. But just fail with the cert error and leave the user with the problem, as it is now in 1.62, is IHMO the worst option. 😉

Thanks!