self signed certificate in certificate chain on github copilot

Question

I installed the GitHub copilot but the extension do not work, always show the following error :

What could I do to solve this?

Answer 1

Copilot error: “ GitHub Copilot could not connect to server. Extension activation failed: self-signed certificate in certificate chain ” is generally caused using CoPilot behind a Corporate network.

• Most corporate networks have a 'Man-in-the-middle' appliance that dynamically breaks open all secure SSL traffic leaving home to enter the internet. This ensures they can inspected any traffic leaving, including your online banking. Usually automation scrubs the traffic looking for theft of company secrets or IP and raises alerts. It all gets logged and reviewed further if need be.

• This action leaves behind a fake cert chain as a fingerprint. The cert for the called site is replaced with a fake, and one signed by the company's own private CA authority. Hence the self-signed cert in the cert chain error.

• From any company device (Phones\Laptop) the company CA is already installed as a trusted CA. So the local browsers and other desktop apps trust this faked cert chain - and so do not raise any concerns someone is snooping your secure network traffic (the company does own the network and the device).

• By default VSCode is not trusting the installed desktop certs, and so it noticed that the GitHub cert is no longer signed by a trusted public CA authority.

• As Rypox states above, the VSCode extension 'Win-CA' ( must be set to 'append' mode ) solves this issue. It tells VSCode to also trust the CA's installed on the employees desktop. This makes VSCode happy again trusting the fake cert chain. No ' whitelisting ' needed and not ' VPN ' related. But certinly not that obvious either. An interesting CA trust issue.

• Confirming this does exist is easy from your browser. Go to any outside site (like Amazon) and review the sites “Cert” to see who the CA's are (Certification Path). It should 'not' contain any reference to your company. Look at that same cert from outside the company network on your own personal laptop.

… “bit of a glitch in the Matrix”, installing Win-CA helps hides it again and all looks back to normal.

Answer 2

公司代理也有同样的问题，以附加模式运行的win-ca扩展解决了它。

Answer 3

On macOS, you can use this script to monkey patch the Copilot extension to make this work:

_VSCODEDIR="$HOME/.vscode/extensions"
_COPILOTDIR=$(ls "${_VSCODEDIR}" | grep -E "github.copilot-[1-9].*" | sort -V | tail -n1) # For copilot
_COPILOTDEVDIR=$(ls "${_VSCODEDIR}" | grep "github.copilot-nightly-" | sort -V | tail -n1) # For copilot-nightly
_EXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTDIR}/dist/extension.js"
_DEVEXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTDEVDIR}/dist/extension.js"
if [[ -f "$_EXTENSIONFILEPATH" ]]; then
    echo "Found Copilot Extension, applying 'rejectUnauthorized' patches to '$_EXTENSIONFILEPATH'..."
    perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_EXTENSIONFILEPATH}
    sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_EXTENSIONFILEPATH}
else
    echo "Couldn't find the extension.js file for Copilot, please verify paths and try again or ignore if you don't have Copilot..."
fi
if [[ -f "$_DEVEXTENSIONFILEPATH" ]]; then
    echo "Found Copilot-Nightly Extension, applying 'rejectUnauthorized' patches to '$_DEVEXTENSIONFILEPATH'..."
    perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_DEVEXTENSIONFILEPATH}
    sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_DEVEXTENSIONFILEPATH}
else
    echo "Couldn't find the extension.js file for Copilot-Nightly, please verify paths and try again or ignore if you don't have Copilot-Nightly..."
fi

Save as something like monkey-patch-copilot.sh , then chmod +x monkey-patch-copilot.sh . You should then be able to run: ./monkey-patch-copilot.sh to apply the patch.

Note: I am not the original author. This was found on the Copilot feedback forum.

Answer 4

For any MacOS users, the VSCode extension linhmtran168.mac-ca-vscode can help as well with this. It is similar to the previously mentioned win-ca.

https://marketplace.visualstudio.com/items?itemName=linhmtran168.mac-ca-vscode

Answer 5

This looks like a similar error to what I am getting. I believe that the source of this in our corporate network is a ssl inspection process such that when the https traffic is opened and inspected that it breaks the certificate chain and this error shows up. A fix would be to add the GitHub Copilot servers to the ssl inspection whitelist so that that traffic is not inspected.

Answer 6

Corporate VPN was the problem (same as @mark-derry's).

Jetbrain's PyCharm / DataSpell allows to accept self signed certificates.

VSCode doesn't seem to have this option yet.

Answer 7

Easy: Method 1. just excute this code.

git config --global http.sslVerify false

Method 2: FOllow this guide? and Thank me later because I have saved you a time of husel: .) . you're welcome!

https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows

Answer 8

I found a solution for this which works for me in case of Intellij. I have blogged about it at https://sidd.io/2023/01/github-copilot-self-signed-cert-issue/

At a high level I think the architecture of the plugin might be same:

IDE Native CoPilot Plugin ---making RPC call---> NodeJS based CoPilot Agent

And this NodeJS based CoPilot Agent agent has issues with the Self Signed Certs (at least in my case).

Fix is as follows:

1. Export the self-signed certificate in discussion
2. Convert it into .pem format if not already
3. Export the path of this .pem cert to NODE_EXTRA_CA_CERTS variable
4. Restart your IDE and it should work