I installed the GitHub copilot but the extension do not work, always show the following error :
What could I do to solve this ?
Asked
Active
Viewed 2.7k times
9 Answers
54
Copilot error: “GitHub Copilot could not connect to server. Extension activation failed: self-signed certificate in certificate chain” is generally caused using CoPilot behind a Corporate network.
Most corporate networks have a ‘Man-in-the-middle’ appliance that dynamically breaks open all secure SSL traffic leaving home to enter the internet. This ensures they can inspected any traffic leaving, including your online banking. Usually automation scrubs the traffic looking for theft of company secrets or IP and raises alerts. It all gets logged and reviewed further if need be.
This action leaves behind a fake cert chain as a fingerprint. The cert for the called site is replaced with a fake, and one signed by the company’s own private CA authority. Hence the self-signed cert in the cert chain error.
From any company device (Phones\Laptop) the company CA is already installed as a trusted CA. So the local browsers and other desktop apps trust this faked cert chain - and so do not raise any concerns someone is snooping your secure network traffic (the company does own the network and the device).
By default VSCode is not trusting the installed desktop certs, and so it noticed that the GitHub cert is no longer signed by a trusted public CA authority.
As Rypox states above, the VSCode extension ‘Win-CA’ (must be set to ‘append’ mode) solves this issue. It tells VSCode to also trust the CA’s installed on the employees desktop. This makes VSCode happy again trusting the fake cert chain. No 'whitelisting' needed and not 'VPN' related. But certinly not that obvious either. An interesting CA trust issue.
Confirming this does exist is easy from your browser. Go to any outside site (like Amazon) and review the sites “Cert” to see who the CA’s are (Certification Path). It should ‘not’ contain any reference to your company. Look at that same cert from outside the company network on your own personal laptop.
… “bit of a glitch in the Matrix”, installing Win-CA helps hides it again and all looks back to normal.
Drew2020
- 556
- 3
- 4
-
1Do you happen to know a fix for PyCharm too? Thank you very much! – qichao_he Aug 25 '22 at 13:38
-
it can happen under VPN connection – danvitoriano Dec 06 '22 at 15:19
-
4Do you know how to do it with VS2022? I can't turn off my corporate VPN and I cannot know what certificates my VPN uses to work around the problem, any ideas? – Nicolas Belley Mar 27 '23 at 12:03
-
Any solution for Webstorm? – Mary Oleksiuk Mar 28 '23 at 07:52
-
1You saved my day. Thank you! – Gabriel Jun 05 '23 at 05:22
-
The `win-ca` extension got me fixed up using `append`! I'm running: Win10 VM, Copilot, VSCode, WSL1, Ubuntu 20. Copilot had been working on Ubuntu (WSL1, guest). The cert error was only happening on the Windows side. Don't forget to restart VSCode. – treckstar Jun 05 '23 at 14:22
-
Any solution for visual studio 2022? This workaround works perfectly for vscode – DarthVegan Jun 12 '23 at 19:40
34
Had the same issue with a corporate proxy, the win-ca extension resolved it.
In settings switch to append mode (it's not the default)
Restart VsCode
PS: this is a windows only solution (for mac see another post - self signed certificate in certificate chain on github copilot)
Wagner Danda da Silva Filho
- 4,958
- 9
- 39
- 49
Rypox
- 533
- 3
- 8
-
I used this on my mac Mac CA VSCode https://marketplace.visualstudio.com/items?itemName=linhmtran168.mac-ca-vscode – Jared Christensen Mar 30 '23 at 16:54
-
-
22
For any MacOS users, I have found that the VSCode extension linhmtran168.mac-ca-vscode can help as well with this. It is similar to the previously mentioned win-ca.
https://marketplace.visualstudio.com/items?itemName=linhmtran168.mac-ca-vscode
Andrew Gremlich
- 353
- 4
- 7
-
3this worked for me as well. just had to install it and restart vscode – Naseeruddin V N Jul 21 '22 at 13:54
-
2
-
18
On macOS, you can use this script to monkey patch the Copilot extension to make this work:
_VSCODEDIR="$HOME/.vscode/extensions"
_COPILOTDIR=$(ls "${_VSCODEDIR}" | grep -E "github.copilot-[1-9].*" | sort -V | tail -n1) # For copilot
_COPILOTDEVDIR=$(ls "${_VSCODEDIR}" | grep "github.copilot-nightly-" | sort -V | tail -n1) # For copilot-nightly
_EXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTDIR}/dist/extension.js"
_DEVEXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTDEVDIR}/dist/extension.js"
if [[ -f "$_EXTENSIONFILEPATH" ]]; then
echo "Found Copilot Extension, applying 'rejectUnauthorized' patches to '$_EXTENSIONFILEPATH'..."
perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_EXTENSIONFILEPATH}
sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_EXTENSIONFILEPATH}
else
echo "Couldn't find the extension.js file for Copilot, please verify paths and try again or ignore if you don't have Copilot..."
fi
if [[ -f "$_DEVEXTENSIONFILEPATH" ]]; then
echo "Found Copilot-Nightly Extension, applying 'rejectUnauthorized' patches to '$_DEVEXTENSIONFILEPATH'..."
perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_DEVEXTENSIONFILEPATH}
sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_DEVEXTENSIONFILEPATH}
else
echo "Couldn't find the extension.js file for Copilot-Nightly, please verify paths and try again or ignore if you don't have Copilot-Nightly..."
fi
Save as something like monkey-patch-copilot.sh, then chmod +x monkey-patch-copilot.sh. You should then be able to run: ./monkey-patch-copilot.sh to apply the patch.
Note: I am not the original author. This was found on the Copilot feedback forum.
leek
- 11,803
- 8
- 45
- 61
-
3
-
1I'm trying to adapt your script for the PyCharm / IntelliJ plugin. There's no `extension.js` in the dist folder, but `agent.js` and `service.js` exists, and contain `rejectUnauthorized:` a bunch of places. `d={...l` isn't anywhere to find, but I've got `d={...c` and `d={...n`. How do I determine which should be replaced? If I uploaded the files somewhere, would you be willing to help me with this? – Daniel Hjertholm Aug 10 '22 at 09:27
-
1
-
If you are using the SSH plugin for vscode, make sure to change the first line to `_VSCODEDIR="$HOME/.vscode-server/extensions"` – LI0131 Oct 27 '22 at 17:37
-
6
I found a solution for this which works for me in case of Intellij. I have blogged about it at https://sidd.io/2023/01/github-copilot-self-signed-cert-issue/
At a high level I think the architecture of the plugin might be same :
IDE Native CoPilot Plugin ---making RPC call---> NodeJS based CoPilot Agent
And this NodeJS based CoPilot Agent agent has issues with the Self Signed Certs (at least in my case).
Fix is as follows :
- Export the self-signed certificate in discussion
- Convert it into
.pemformat if not already - Export the path of this
.pemcert toNODE_EXTRA_CA_CERTSvariable - Restart your IDE and it should work
Siddharth
- 2,046
- 5
- 26
- 41
-
2This answer will help solve the issue for Visual Studio. It feels more correct then installing an extension. – Logic01 Feb 24 '23 at 20:07
-
How do you know which certificate is used for a given VPN provider??? – Nicolas Belley Mar 27 '23 at 12:06
-
@NicolasBelley in my understanding if you have installed an VPN provider on your machine then a Root CA would also have been installed in your machine. Ex: if you are using a Mac then you should check this under "Keychain Access" in "Certificates" and you should find it. – Siddharth Mar 29 '23 at 02:30
-
This works also under Windows for JetBrains IDEs: set `NODE_EXTRA_CA_CERTS` variable in the "Edit environment variables for your account" control panel (no admin needed), to an absolute path like "C:\path\to\ca-bundle.crt" – LCC Apr 11 '23 at 15:35
-
2
-
Is there any complete step-by-step solution for Visual Studio 2022, yet? How do I "Export the self-signed certificate"?, etc... – Siavash Mortazavi Aug 22 '23 at 17:53
2
Corporate VPN was the problem (same as @mark-derry's).
Jetbrain's PyCharm / DataSpell allows to accept self signed certificates.
VSCode doesn't seem to have this option yet.
Neil
- 7,482
- 6
- 50
- 56
-
2I tried adding the self signed certificates according to [this](https://www.jetbrains.com/help/idea/settings-tools-server-certificates.html), but it does not work. I also tried **Accept non-trusted certificates automatically**. not working either. Did you manage to make JetBrains/PyCharm copilot plugin work with corporate vpn that has a self signed certificates? – qichao_he Aug 24 '22 at 13:20
1
This looks like a similar error to what I am getting. I believe that the source of this in our corporate network is a ssl inspection process such that when the https traffic is opened and inspected that it breaks the certificate chain and this error shows up. A fix would be to add the GitHub Copilot servers to the ssl inspection whitelist so that that traffic is not inspected.
Mark Derry
- 31
- 3
-
have the same problem; unfortunately getting things whitelisted could be quite challenging at the corps – Neil Mar 24 '22 at 07:00
0
Install [win-ca][1] [1]: https://marketplace.visualstudio.com/items?itemName=ukoloff.win-ca
Press CTRL + SHIFT + P Search for @ext:ukoloff.win-ca
Put Win-Ca: Inject to append
Restart the IDE
Start Coding
Sampath Wijesinghe
- 789
- 1
- 11
- 33
-
This is already covered in the second most voted answer on this very question: https://stackoverflow.com/a/71826748/2442804 – luk2302 Aug 02 '23 at 07:26
-
@luk2302 There is no reference to how to apply the append. That's the reason why I posted here – Sampath Wijesinghe Aug 02 '23 at 08:02
-3
Easy! Method 1 : just excute this code.
git config --global http.sslVerify false
Method 2: FOllow this guide! and Thank me later because I have saved you a time of husel ? :) . you're welcome!
https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows
Develop4Life
- 7,581
- 8
- 58
- 76
-
The problem with an GitHub Copilot extension, not with the git connections – Serg.ID Aug 07 '22 at 21:57