Question
· Jun 7, 2022

Troubleshooting VS Code Connection Issues

I'm attempting to configure VS Code's InterSystems Server Manager to establish a connection to an IRIS for Health server. It has a standalone CSP gateway running on an Apache server with TLS enabled. The port for all IRIS api and browser traffic is 443.

I've configured the webServer section's host, port, and variations on pathPrefix (including no pathPrefix entry), and have the correct user ID set. The password is stored in the server keychain.

The connection simply fails with "Server could not be reached." Nothing in the Output or Problems tabs.

I was not involved with the configuration of this CSP gateway and IRIS installation, but I've performed many dozens of them (including standalone, TLS-enabled CSP Gateways) and used VS Code on them without issue. I'm suspecting that there's either an application config missing from the CSP Gateway or a misconfiguration of Apache that's causing the connection failure, but without any trace data from VS Code it's difficult to diagnose. Are there "debug" flags somewhere that provide more information on why the Server Manager/ObjectScript extensions aren't able to connect?

Product version: IRIS 2021.1
Discussion (5)3
Log in or sign up to continue

Thanks, @Jolyon Smith, that does give me something to go on. This is the error I'm seeing on each connection attempt:

Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
    at TLSSocket.emit (node:events:390:28)
    at TLSSocket._finishInit (node:_tls_wrap:944:8)
   at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12)

The cert shows no issues when using Chrome, but what I've read in researching this error is that AV software may be a contributor. Unfortunately, I don't have the ability to turn it off on the system I'm testing with, so I'll need to work with the customer's PC support team to see if that makes a difference. I've already tried setting http.proxyStrictSSL and http.systemCertificates to false, and set http.proxySupport to off.

@Jeffrey Drumm have you able to solve this ?

We are having the same problem.
We have the IRIS internal apache webserver configured to have HTTPS access, with self-signed certificate.
Connection to the SMP portal is working fine with HTTP and HTTP.
When we tried to "force" HTTPS only (by doing a HTTP->HTTPS redirect on apche level) we are not able to connect with VS-code: we get the same error: "unable to verify the first certificate".
We tried to uncheck the "Http: System Certificates" and "Http: Proxy Strict SSL" but this was not solving the problem.

Currently, the only workaround I see is to disable the redirection, but with this solution we will still having (even by mistake) HTTP traffic to the server, which we want to aviod.

Any idea ?

It seems that the issue lies in Node.js and that its support for adding trusted CAs is not quite perfect (see e.g. https://github.com/nodejs/node/issues/27079).

The only way I could get it to work was by setting the environment variable

NODE_TLS_REJECT_UNAUTHORIZED to 0

and thus disabling certificate validation entirely in node js.

Btw: Things which looked promising but did not work:
- the http.systemCertificates setting. Node.js in the extension host does not seem to be affected by this setting.
- the http.proxyStrictSSL setting
- the win-ca extension
- the NODE_EXTRA_CA_CERTS env var to add trusted CAs. This would be the preferred way, but I could not get it to work, unfortunately.