Skip to content

unable to verify the first certificate when install extension from local marketplace #39

New issue
New issue
Closed
Closed
unable to verify the first certificate when install extension from local marketplace#39
Labels
support
@garylavayou

Description

@garylavayou
garylavayou
opened on Jun 6, 2024

Problem Description

I have deployed marketplace following the deployment guide. The service is up and I am able to add a collection of extensions (vsix files) to the marketplace. But I failed to download extension from the marketplace, following the Usage in code-server guide, the following error occurs.

export EXTENSIONS_GALLERY='{"serviceUrl":"https://<domain>/api", "itemUrl":"https://<domain>/item", "resourceUrlTemplate": "https://<domain>/files/{publisher}/{name}/{version}/{path}"}'
code-server

Error Details

Install with code-server CLI (/app/code-server/lib/vscode/bin/remote-cli/code-server):

#> {
#>   "type": "extensionManagement",
#>   "install": [
#>     "formulahendry.auto-close-tag"
#>   ],
#>   "force": false
#> }
#> Installing extensions on condapack.coderdev.com...
#> Installing extension 'formulahendry.auto-close-tag'...
#> Error while installing extension formulahendry.auto-close-tag: [object Object]
#> Failed Installing Extensions: formulahendry.auto-close-tag

Install with code-server:

/app/code-server/bin/code-server --verbose --install-extension formulahendry.auto-close-tag
#> [2024-06-06T00:47:48.148Z] debug Found VS Code arguments; spawning VS Code CLI
#> [2024-06-06T00:47:48.150Z] debug Running Code CLI
#> Installing extensions...
#> Error while installing extensions: unable to verify the first certificate
#> unable to verify the first certificate

In addition, if I try to install extension without launching code-service service when building image, the same error occurs. I think the code-service service is not related to extension installation. Is that right?

After launching the coder-server, I can see all the extensions I have added to the marketplace from the extensions management page and the extension page, if I click one of the extensions.

image

image

If I click the title on the extension detail page, I can see the extension's URL, like

https://marketplace.coderdev.com/item?itemName=formulahendry.auto-close-tag

where the domain is indeed my own host. But if I try to click "install" on the page, it still fails with the following log in the "Output" window of Code.

2024-06-06 08:58:27.074 [error] Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1600:34)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1017:8)
    at ssl.onhandshakedone (node:_tls_wrap:803:12)
2024-06-06 08:58:27.104 [error] unable to verify the first certificate: Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1600:34)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1017:8)
    at ssl.onhandshakedone (node:_tls_wrap:803:12)

which complains the same about "unable to verify the first certificate" as that of using code-server to install from terminal.

Potential Issue

The certificate of the deploy domain is not trusted by code-server CLI, and adding self-signed certificate/root CA certificate to the system's trust store has no effect.

I have added the root CA certificate to the code-server's host system (build into the container image), which can be verified by perform the following querying in code-server's terminal:

curl -v https://marketplace.coderdev.com/healthz
*   Trying 172.28.76.31:443...
* Connected to marketplace.coderdev.com (172.28.76.31) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
# ...... omitted TLS handshake
*  SSL certificate verify ok.
# ......
> GET /healthz HTTP/2
> Host: marketplace.coderdev.com
> user-agent: curl/7.81.0
> accept: */*
# ......
< HTTP/2 200 
< build-version: 6fb4e72
< content-type: text/plain; charset=utf-8
< date: Thu, 06 Jun 2024 01:03:46 GMT
< vary: Origin
< x-coder-request-id: 59f86788-766e-4107-b9fd-928185d7db2f
< x-ratelimit-limit: 512
< x-ratelimit-remaining: 511
< x-ratelimit-reset: 1717635840
< content-length: 18
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host marketplace.coderdev.com left intact
API server running

So, why code-server CLI cannot trust the certificate of my domain marketplace.coderdev.com?

Deployment details

images:

  • customized code-server image based on linuxserver/code-server:4.89.1.

    code-server --version
#> 1.89.1
#> effc6e95b4ad1c5ac5f9083ec06663ba4a2e005c
#> x64

  • customized code-server image based on codercom/code-server:4.89.1.

  • customized code-marketplace image based on debian/bookworm. code-marketplace is installed and started following the official guide.

Metadata

Metadata

Assignees

No one assigned

    Labels

    support

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions