error: self signed certificate in chain [SELF_SIGNED_CERT_IN_CHAIN]

[Keith-lam-kpmg]

Problem

when I try to login with AWS codewishperer, it propmot below msg

2023-05-04 15:04:17 [INFO]: selected AWS ID sign in
2023-05-04 15:04:17 [ERROR]: API response (oidc.us-east-1.amazonaws.com /client/register): { code: 'SELF_SIGNED_CERT_IN_CHAIN' }
2023-05-04 15:04:17 [ERROR]: aws.codeWhisperer.sso: Error: Failed to connect to AWS Builder ID [FailedToConnect]
-> Error: self signed certificate in certificate chain [SELF_SIGNED_CERT_IN_CHAIN]

Steps to reproduce the issue

Expected behavior

System details (run the AWS: About Toolkit command)

• OS:Windows
• Visual Studio Code version:
• AWS Toolkit version:v.1710

[justinmk3]

Are you behind a proxy?

SELF_SIGNED_CERT_IN_CHAIN is a TLS error reported by nodejs. https://github.com/nodejs/node/blob/9e5e2f1dc5cdd857d79f05981a53382e23a1d55b/doc/api/tls.md?plain=1#L455

Check http.proxySupport and other "proxy" settings in your vscode settings:
https://code.visualstudio.com/updates/v1_31#_network-proxy-support-for-extensions

Note that any value in the http.proxy setting or the HTTP_PROXY or HTTPS_PROXY environment variables will take precedence over the system's proxy setting.

Related: #185

[Keith-lam-kpmg]

@justinmk3 able to proceed with turning off the proxy setting, thanks!

[djkong7]

I'm behind a proxy but only for AWS traffic and I do not have any proxy settings set in VSCode. I have my ca_bundle specified in my AWS config. Everything works fine for cli access and was working fine for toolkit access.

On VSCode version 1.77.3 and AWS Toolkit version 1.71.0, I am not receiving a self-signed certificate error. Everything works as expected.

On VSCode version 1.78.0 and AWS Toolkit version 1.71.0, I am receiving a self-signed certificate error. I'm also seeing that the profile selector isn't updating with the most recent profile after selecting a different connection profile either.

[justinmk3]

@djkong7 thanks for those details, that implies there was a vscode change that triggered this. Are you on Windows?

Based on microsoft/vscode#181404 (comment) ,

This breaks loading of OS certificates on Windows (not proxy discovery). This will affect users relying on self-signed certificates for development and those requiring a CA certificate from their network proxy.

• there appears to be a workaround (configure the proxy info in vscode)
• possibly a fix planned for the next release of vscode.

Only HTTP/S requests made by extensions using the Node API are affected.

Perhaps we can/should be using the vscode API to make https requests instead of nodejs. #2205

[djkong7]

@justinmk3 Thank you for the quick reply. I am on windows. Unfortunately for me, configuring a proxy in VSCode is not an option.

[justinmk3]

vscode 1.78.2 was released with a fix for microsoft/vscode#181404