GitLab Workflow Extension for VS Code doesn't trust self-signed certificates on Windows

Overview
 

On Self-Managed instances where a self-signed certificate is in use, the GitLab Workflow Extension for VS Code doesn't trust the certificate if you're running Windows. This can prevent you from being able to add you account to VS Code and by extension from being able to use GitLab Duo features in VS Code.

Description
 

If you have a Self-Managed GitLab instance where you're using self-signed certificates, when attempting to use GitLab Duo in VS Code on Windows, you may run into an error like this when trying to add your GitLab account to VS Code even when the Health Check reports no health problems detected:

[error]: {
      "userMessage": "Request failed: Can't add GitLab account for https://your-gitlab-instance. Check your instance URL and network connection.",
      "errorMessage": "request to https://your-gitlab-instance/api/v4/personal_access_tokens/self failed, reason: unable to verify the first certificate",
      "stack": [
        "FetchError: request to https://your-gitlab-instance/api/v4/personal_access_tokens/self failed, reason: unable to verify the first certificate",
        "\tat ClientRequest.<anonymous> (c:\\Users\\your-username\\.vscode\\extensions\\gitlab.gitlab-workflow-6.4.0\\extension.js:204:436752)",
        "\tat ClientRequest.emit (node:events:530:35)",
        "\tat ClientRequest.emit (node:domain:489:12)",
        "\tat emitErrorEvent (node:_http_client:101:11)",
        "\tat TLSSocket.socketErrorListener (node:_http_client:504:5)",
        "\tat TLSSocket.emit (node:events:518:28)",
        "\tat TLSSocket.emit (node:domain:489:12)",
        "\tat emitErrorNT (node:internal/streams/destroy:169:8)",
        "\tat emitErrorCloseNT (node:internal/streams/destroy:128:3)",
        "\tat process.processTicksAndRejections (node:internal/process/task_queues:82:21)"
      ]
    }

Impacted offerings:

• GitLab Self-Managed
   

Impacted versions:

GitLab VS Code Extension: 6.13.0 and later
 

Resolution
 

1. Open your GitLab instance in your browser
2. View the Certificate, getting ready to export it
3. Click the Export button
4. In the resulting modal, make sure to select the second option in the dropdown menu. You want to export the "certificate chain", not a "single certificate"
5. You can verify that this was done correctly by opening the .pem file. There should be multiple blobs of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
6. Once you're satisfied that you have the certificate chain exported, you can add it to the GitLab VS Code Extension by adding the full path to the downloaded pem certificate chain as gitlab.ca settings.json property: 

   {
     "gitlab.ca": "C:\\your-username\\Downloads\\gitlab-com-chain.pem"
   }

P.S: The \\ above are necessary on Windows machines as you need to escape the \ characters in the file path.
 
The screenshots below provide visual reference for steps 2 and 3 above.

Cause
 

This is due to the GitLab Workflow Extension not trusting the self-signed certificate.
 

Related Links

• [VS Code] [Windows]: Extension doesn't trust certificate even when present in OS keychain