Certificate Error Cosmos DB in Visual Code

[normanmartinez]

<Please be sure to remove any private information before submitting.>

Repro steps:
<Enter steps to reproduce issue>

Action: cosmosDB.createDocDBDatabase
Error type: DEPTH_ZERO_SELF_SIGNED_CERT
Error Message: self signed certificate

Version: 0.9.1
OS: win32

[nturinski]

Sorry for the late reply. Could you try setting http.proxyStrictSSL to false?

[galvesribeiro]

Hey folks!

I can confirm that changing VSCode proxyStrictSSL setting to False make it work as a workaround.

However, I think there must be another way of working this out built in by the extension. I'm on OSX and I'm unfortunately, I have to run the emulator on a Windows VM with Parallels since after so many years with CosmosDB out, we still don't have xplat emulator.

To make the web data explorer to work, I had to export the certificate as suggested in the docs and made it trusted on OSX Keychain. That would allow us to access the WebUI.

Setting the global VSCode proxyStrictSLL is a pretty big security flaw and to proper fix it we should go one of the following paths:

1. Make the extension to trust any certificate that is either explicitly set at the extension level settings the thumbprint. That scope the relaxed SSL settings to the extension; or
2. Allow people to generate their own certificates and add it to the emulator, so it would use their trusted certificates instead of the auto-generated one; or
3. Make VSCode to selectively allow specific thumbprints at the VSCode global level.

That would avoid the security risk and allow scenarios like mine, where I have an "external" client (VSCode) connecting to a "remote" emulator on the VM.

I believe option 1 is the easiest to tackle, but 2 is the more reliable.

To be honest, in my case, all that would be sorted by having a cross platform emulator (long late feature request made multiple times everywhere, but subject for another issue)...

I hope that help...

[AzCode-Bot]

This issue has become stale and is at risk of being closed. The community has 60 days to upvote the issue. If it receives 5 upvotes we will keep it open and take another look. If not, we will close it. To learn more about how we handle issues, please see our documentation.

Happy Coding!

[jongio]

I ran into this today and I'm hesitant to set
"http.proxyStrictSSL": false

Because I don't fully understand the security implications of doing so.

Jon

azsdke2e
azsdke2e1

[AzCode-Bot]

🙂 This feature request received a sufficient number of community upvotes and we moved it to our backlog. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

[klemmchr]

Is there an update to this? There needs to be a way to connect to the emulator via http or by ignoring the certificate on the other side. In a local development environment, it's unnecessary to enforce https when network is limited to localhost.

[szszoke]

I am also affected by this problem. My use case is a dev container that is running my development environment and a CosmosDB emulator.

I attach the database via connection string and I get an error about the self-signed certificate.