Error when installing extensions when using HTTP proxy

[merlinz01]

Does this issue occur when all extensions are disabled?: Yes

• VS Code Version: 1.97.0
• OS Version: Linux Mint 22.1

Steps to Reproduce:

1. Go to the extensions panel in VSCode.
2. Search for an extension. This part works.
3. Click the Install button on the extension.

Which always gives this error in the output panel:

2025-02-06 20:11:07.312 [error] [Window] Error: net::ERR_INVALID_ARGUMENT
    at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10511)
    at SimpleURLLoaderWrapper.emit (node:events:518:28)
2025-02-06 20:11:07.346 [error] [Window] net::ERR_INVALID_ARGUMENT: Error: net::ERR_INVALID_ARGUMENT
    at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10511)
    at SimpleURLLoaderWrapper.emit (node:events:518:28)

The results of the network proxy test are below:

VS Code 1.97.0 (33fc5a94a3f99ebe7087e8fe79fbe1d37a251016)
Network Proxy Test 0.0.16
linux 6.8.0-52-generic x64

Settings:
- http.proxy: http://user:pass@proxy:port
  - globalLocalValue: http://user:pass@proxy:port
  - globalValue: http://user:pass@proxy:port
- http.proxyAuthorization: user:pass
  - globalLocalValue: user:pass
  - globalValue: user:pass
- http.proxyStrictSSL: false
  - globalLocalValue: false
  - globalValue: false
- http.electronFetch: true
  - globalLocalValue: true
  - globalValue: true
- http.experimental.systemCertificatesV2: true
  - globalLocalValue: true
  - globalValue: true

Environment variables:
HTTPS_PROXY=http://user:pass@proxy:port
HTTP_PROXY=http://user:pass@proxy:port
NO_PROXY=nuget.org
http_proxy=http://user:pass@proxy:port
https_proxy=http://user:pass@proxy:port

DNS:
- Servers: 127.0.0.53
- Result Order: ipv4first
- Auto Select Family: true
- Auto Select Family Attempt Timeout: 250
- Lookup: 140.82.114.4 (158 ms)

Proxy:
- URL: http://user:pass@proxy:port (1 ms)
- Connection: 407 Proxy Authentication Required
	proxy-authenticate: Basic realm="HTTP Proxy" (3 ms)

Sending GET request to https://github.com...
Received response:
- Status: 200 OK
Certificate chain:
- Subject: github.com
  Subject alt: DNS:github.com
  Validity: Feb  5 05:00:00 2025 GMT - Feb  8 05:00:00 2025 GMT
  Fingerprint: 25:02:9A:BD:FD:C4:BD:AF:E2:8C:09:CB:61:5D:6F:41:F4:CF:2B:57
- (Proxy certificates)
Local root certificates:
- (Proxy root certificate)

Sending GET request to https://github.com using fetch from Electron...
Received response:
- Status: 200 

Sending GET request to https://github.com using fetch from Node.js...
Received response:
- Status: 200 OK

Sending GET request to https://github.com using fetch from Node.js (allow HTTP2)...
Received response:
- Status: 200 

[merlinz01]

@chrmarti from #12588

[merlinz01]

Now in VSCode 1.99, Copilot can't sign in, same error. 😦

[merlinz01]

How strange! #176609 (comment) fixed it. This should be either documented or fixed.

[chrmarti]

The default for http.proxyAuthorization is already null. Does it still work?

[merlinz01]

Yes, it also works if I remove that setting. It initially asked for authentication but it hasn't since, which makes sense. Maybe http.proxyAuthorization should be marked as deprecated?

[datenimperator]

EDIT: This works as designed, unfortunately.

See https://stackoverflow.com/a/75989394 for an explanation. TL;DR Electron doesn't allow options like NODE_OPTIONS or NODE_EXTRA_CA_CERTS in general.

Very unfortunate.

---

Same here. My company uses SSL introspection via Watchguard. Thus every SSL certificate is replaced with a custom cert signed by our internal CA.

The CA root certificate is installed on each machine. All openssl-based CLI work as expected. Once added to the browser trust store, Firefox and Chromium work, too. Only node.js-based apps fail to pick up that extra CA certificate.

I added an env variable NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to my profile which points to a PEM encoded collection of trusted CAs. My custom CA is included, too.

I also installed the extension https://marketplace.visualstudio.com/items?itemName=pharndt.node-extra-ca-certs-vscode from the marketplace to help.

But yet vscode still fails to connect to SSL sites. No updates, extensions, not even the user avatar image from GitLens.

Is there anything I can do?

[chrmarti]

VS Code automatically loads OS certificates. Could you install the Network Proxy Test extension (https://marketplace.visualstudio.com/items?itemName=chrmarti.network-proxy-test) and check the output of F1 > Network Proxy Test: Test Connection in VS Code?

If you cannot install the extension through the Extensions viewlet in VS Code, you can download it from the browser here: https://github.com/chrmarti/vscode-network-proxy-test/releases and then install the downloaded VSIX with F1 > Extensions: Install VSIX....

[datenimperator]

@chrmarti thx, brilliant extension!

As per the debug log, node.js can connect but Electron cannot.

Note: Make sure to replace all sensitive information with dummy values before sharing this output.

VS Code 1.100.2 (848b80aeb52026648a8ff9f7c45a9b0a80641e2e)
Network Proxy Test 0.0.17
linux 6.11.0-26-generic x64

DNS:
- Servers: 127.0.0.53
- Result Order: ipv4first
- Auto Select Family: true
- Auto Select Family Attempt Timeout: 250
- Lookup: 104.212.67.219, 2620:1ec:27:e61f::cafe:e61f (51 ms)

Proxy:
- URL: None (2 ms)

Sending GET request to https://update.code.visualstudio.com...
Received response:
- Status: 200 OK
Certificate chain:
- Subject: update.code.visualstudio.com (Microsoft Corporation)
  Subject alt: DNS:update.code.visualstudio.com
  Validity: Apr 10 16:41:10 2025 GMT - Oct  7 16:41:10 2025 GMT
  Fingerprint: DF:17:11:2A:F1:98:BB:CF:11:64:FC:05:5A:C8:4E:80:BB:1C:A2:FA
- Subject: fw-proxy.company.com (Company)
  Subject alt: DNS:fw.company.com, DNS:xx.xx.xx.xx
  Validity: Nov 25 12:03:29 2024 GMT - Apr 12 12:03:29 2052 GMT
  Fingerprint: 5D:25:01:D4:2A:9E:FB:EA:49:78:F7:7C:1F:E7:DB:AB:5A:A8:6F:FB
- Subject: ca.company.com (Company)
  Validity: Oct 29 10:22:39 2024 GMT - Mar 16 10:22:39 2052 GMT
  Fingerprint: E1:7D:B2:F8:19:ED:74:45:C8:DB:2F:30:A5:B0:F8:4A:94:26:4E:40
  Self-signed
Local root certificates:
- Subject: C=DE ST=NRW L=City O=Company CN=ca.company.com [email protected] (OS)
  Validity: Oct 29 10:22:39 2024 GMT - Mar 16 10:22:39 2052 GMT
  Fingerprint: E1:7D:B2:F8:19:ED:74:45:C8:DB:2F:30:A5:B0:F8:4A:94:26:4E:40
  Issuer: C=DE ST=NRW L=City O=Company CN=ca.company.com [email protected]

Sending GET request to https://update.code.visualstudio.com using fetch from Electron...
Received error: Error: net::ERR_CERT_AUTHORITY_INVALID
	at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/utility_init:2:10511)
	at SimpleURLLoaderWrapper.emit (node:events:524:28)

Sending GET request to https://update.code.visualstudio.com using fetch from Node.js...
Received response:
- Status: 200 OK

Sending GET request to https://update.code.visualstudio.com using fetch from Node.js (allow HTTP2)...
Received response:
- Status: 200 OK

[datenimperator]

I also tried with https://marketplace.visualstudio.com/items?itemName=pharndt.node-extra-ca-certs-vscode disabled - same result as above.

[chrmarti]

Make sure you have the proxy's CA certificate installed as root certificate in your OS.

On Linux (which you are using?) Electron should read /etc/ssl/certs/ca-certificates.crt (or a similar path depending on your distro).

[datenimperator]

I'm using Linux Mint. As I wrote before:

I added an env variable NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to my profile which points to a PEM encoded collection of trusted CAs. My custom CA is included, too.

The file is really there:

$ file /etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt: PEM certificate

It also contains my custom root CA. Applications linked to OpenSSL seem to pick it up fine. If Electron actually read that file, too, it'd find the matching root certificate. Yet, it doesn't. Eg when looking for updates:

2025-05-30 15:28:43.651 [info] update#setState checking for updates
2025-05-30 15:28:43.944 [error] #10: https://update.code.visualstudio.com/api/update/linux-x64/stable/848b80aeb52026648a8ff9f7c45a9b0a80641e2e?bg=true - error undefined net::ERR_CERT_AUTHORITY_INVALID
2025-05-30 15:28:43.945 [error] Error: net::ERR_CERT_AUTHORITY_INVALID
    at SimpleURLLoaderWrapper.<anonymous> (node:electron/js2c/browser_init:2:118774)
    at SimpleURLLoaderWrapper.emit (node:events:524:28)
2025-05-30 15:28:43.945 [info] update#setState idle