self signed certificate in certificate chain on github copilot

Question

I installed the GitHub copilot but the extension do not work, always show the following error :

GitHub Copilot could not connect to server. Extension activation failed: "self signed certificate in certificate chain"

Source: GitHub Copilot (Extension) Show Output log

What could I do to solve this ?

Answer 1

If none of the above works, ensure any firewall or blocking software is not blocking this URL, it is likely the company network does not trust the website as Microsoft is using a different domain.

https://api.business.githubcopilot.com/    

You can test this by using

curl -vvv https://api.business.githubcopilot.com

Based on the response from above curl, you might know if it's blocked or untrusted certificate, for the latter you might need to export the certificate chain and add to local certificate store and add VS code extensions as described by others above.

Answer 2

I had the same issue with a corporate proxy. The win-ca extension resolved it.

Steps to fix the issue:

1. Install win-ca
2. In the win-ca settings, switch Inject to append mode (it's not the default).
3. Restart VsCode

PS: This is a Windows only solution. For Macs, see this post.

Answer 3

I have had the same problem in my company and we have solved it following these steps:

1. Enter IntelliJ
2. Ctrl + Alt + S (Settings)
3. Search by "cert"
4. Mark option "Accept non-trusted certificates automatically"
5. Restart IntelliJ

Saludos a todos desde España.

Answer 4

On macOS and linux, you can use this script to monkey patch the Copilot extension to make this work:

Update: Also fixes copilot chat error:

Error on conversation request. Check the log for more details.

_VSCODEDIR="$HOME/.vscode/extensions"
_COPILOTDIR=$(ls "${_VSCODEDIR}" | grep -E "github.copilot-[1-9].*" | sort -V | tail -n1) # For copilot
_COPILOTDEVDIR=$(ls "${_VSCODEDIR}" | grep "github.copilot-nightly-" | sort -V | tail -n1) # For copilot-nightly
_COPILOTCHATDIR=$(ls "${_VSCODEDIR}" | grep -E "github.copilot-chat-*" | sort -V | tail -n1) # For copilot-chat
_EXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTDIR}/dist/extension.js"
_DEVEXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTDEVDIR}/dist/extension.js"
_CHATEXTENSIONFILEPATH="${_VSCODEDIR}/${_COPILOTCHATDIR}/dist/extension.js"

if [[ -f "$_EXTENSIONFILEPATH" ]]; then
    echo "Found Copilot Extension, applying 'rejectUnauthorized' patches to '$_EXTENSIONFILEPATH'..."
    perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_EXTENSIONFILEPATH}
    sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_EXTENSIONFILEPATH}
else
    echo "Couldn't find the extension.js file for Copilot, please verify paths and try again or ignore if you don't have Copilot..."
fi
if [[ -f "$_DEVEXTENSIONFILEPATH" ]]; then
    echo "Found Copilot-Nightly Extension, applying 'rejectUnauthorized' patches to '$_DEVEXTENSIONFILEPATH'..."
    perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_DEVEXTENSIONFILEPATH}
    sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_DEVEXTENSIONFILEPATH}
else
    echo "Couldn't find the extension.js file for Copilot-Nightly, please verify paths and try again or ignore if you don't have Copilot-Nightly..."
fi
if [[ -f "$_CHATEXTENSIONFILEPATH" ]]; then
    echo "Found Copilot-Chat Extension, applying 'rejectUnauthorized' patches to '$_CHATEXTENSIONFILEPATH'..."
    perl -pi -e 's/,rejectUnauthorized:[a-z]}(?!})/,rejectUnauthorized:false}/g' ${_CHATEXTENSIONFILEPATH}
    sed -i.bak 's/d={...l,/d={...l,rejectUnauthorized:false,/g' ${_CHATEXTENSIONFILEPATH}
else
    echo "Couldn't find the extension.js file for Copilot-Chat, please verify paths and try again or ignore if you don't have Copilot-Chat..."
fi

Save as something like monkey-patch-copilot.sh, then chmod +x monkey-patch-copilot.sh. You should then be able to run: ./monkey-patch-copilot.sh to apply the patch.

Note: I am not the original author. This was found on the Copilot feedback forum.

Answer 5

In my case it was ZScaler, the corporate annoyance. Fortunately we are allowed to exit the app. After exiting Zscaler and reloading the CoPilot extention in VSCode CoPilot worked again.

Answer 6

1. Install [win-ca][1] [1]: https://marketplace.visualstudio.com/items?itemName=ukoloff.win-ca

2. Press CTRL + SHIFT + P Search for @ext:ukoloff.win-ca

3. Put Win-Ca: Inject to append

4. Restart the IDE

5. Start Coding

Answer 7

For any MacOS users, I have found that the VSCode extension linhmtran168.mac-ca-vscode can help as well with this. It is similar to the previously mentioned win-ca.

https://marketplace.visualstudio.com/items?itemName=linhmtran168.mac-ca-vscode

Answer 8

I found a solution for this which works for me in case of Intellij. I have blogged about it at https://sidd.io/2023/01/github-copilot-self-signed-cert-issue/

At a high level I think the architecture of the plugin might be same :

IDE Native CoPilot Plugin ---making RPC call---> NodeJS based CoPilot Agent

And this NodeJS based CoPilot Agent agent has issues with the Self Signed Certs (at least in my case).

Fix is as follows :

1. Export the self-signed certificate in discussion
2. Convert it into .pem format if not already
3. Export the path of this .pem cert to NODE_EXTRA_CA_CERTS variable
4. Restart your IDE and it should work

Answer 9

Easy! Method 1 : just excute this code.

git config --global http.sslVerify false

Method 2: FOllow this guide! and Thank me later because I have saved you a time of husel ? :) . you're welcome!

https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows

Answer 10

Copilot error: “GitHub Copilot could not connect to server. Extension activation failed: self-signed certificate in certificate chain” is generally caused using CoPilot behind a Corporate network.

• Most corporate networks have a ‘Man-in-the-middle’ appliance that dynamically breaks open all secure SSL traffic leaving home to enter the internet. This ensures they can inspected any traffic leaving, including your online banking. Usually automation scrubs the traffic looking for theft of company secrets or IP and raises alerts. It all gets logged and reviewed further if need be.

• This action leaves behind a fake cert chain as a fingerprint. The cert for the called site is replaced with a fake, and one signed by the company’s own private CA authority. Hence the self-signed cert in the cert chain error.

• From any company device (Phones\Laptop) the company CA is already installed as a trusted CA. So the local browsers and other desktop apps trust this faked cert chain - and so do not raise any concerns someone is snooping your secure network traffic (the company does own the network and the device).

• By default VSCode is not trusting the installed desktop certs, and so it noticed that the GitHub cert is no longer signed by a trusted public CA authority.

• As Rypox states above, the VSCode extension ‘Win-CA’ (must be set to ‘append’ mode) solves this issue. It tells VSCode to also trust the CA’s installed on the employees desktop. This makes VSCode happy again trusting the fake cert chain. No 'whitelisting' needed and not 'VPN' related. But certinly not that obvious either. An interesting CA trust issue.

• Confirming this does exist is easy from your browser. Go to any outside site (like Amazon) and review the sites “Cert” to see who the CA’s are (Certification Path). It should ‘not’ contain any reference to your company. Look at that same cert from outside the company network on your own personal laptop.

… “bit of a glitch in the Matrix”, installing Win-CA helps hides it again and all looks back to normal.

Answer 11

Corporate VPN was the problem (same as @mark-derry's).

Jetbrain's PyCharm / DataSpell allows to accept self signed certificates.

VSCode doesn't seem to have this option yet.

Answer 12

This looks like a similar error to what I am getting. I believe that the source of this in our corporate network is a ssl inspection process such that when the https traffic is opened and inspected that it breaks the certificate chain and this error shows up. A fix would be to add the GitHub Copilot servers to the ssl inspection whitelist so that that traffic is not inspected.