Connecting to generic v2 registry is failing

[pWoLiAn]

using latest extension version.
When connecting to registry, get the message "fetch failed"

im able to pull using CLI

EDIT:
the extension works properly with the previous version(1.28). issue is seen only with the latest version(1.29)

vscode details:
Version: 1.86.2 (user setup)
Commit: 903b1e9d8990623e3d7da1df3d33db3e42d80eda
Date: 2024-02-13T19:40:56.878Z
Electron: 27.2.3
ElectronBuildId: 26908389
Chromium: 118.0.5993.159
Node.js: 18.17.1
V8: 11.8.172.18-electron.0
OS: Windows_NT x64 10.0.22631

running on ubuntu 20.4 with remote SSH

[bwateratmsft]

Try removing the /v2 from your registry URL, the extension adds that automatically as needed.

[pWoLiAn]

still failing with the same error

[bwateratmsft]

Can you tell me more about your registry provider? It may not be supported by the generic V2 registry connection.

[pWoLiAn]

What type of information do you need? Although i dont think this is an issue with the registry because I'm able to connect to it normally with version 1.28.

[bwateratmsft]

That's helpful to know. I think the most likely change that could have caused this is microsoft/vscode-docker-extensibility@24e2d35, we changed from using node-fetch to the built-in fetch in Node.js 18. Are you using a proxy?

[pWoLiAn]

yes i am

[bwateratmsft]

Are you able to test without the proxy in place? It would be helpful to know for sure if the issue is something to do with the proxy.

[pWoLiAn]

i cannot access the registry without the proxy but i can try using a different proxy

[westy]

I'm getting the same issue. It was working with a previous version of the extension, and now it's not.
I suspect it might be something to do with the cert on the private registry (hosted on a local linux server) being self-signed?

The certificate is installed as a trusted CA on the machine, and I can browse to it fine in a web browser.

Is there any logging for the extension that I can look at perhaps?

Cheers

[bwateratmsft]

That's very helpful to know. @pWoLiAn does your registry also use a self-signed certificate?

[pWoLiAn]

yes

[fengjianxincoke]

I had the same problem with my mac,
vs code version: 1.88.1
docker plugin version: 1.29.0
I can't connect to docker hub registried

[TorchDSP]

Our current workaround is to use version v1.28.0. Otherwise getting the fetch failed message. Tried v1.29.1 this morning. Same issue as found with v1.29.0.

What we have seen is that with the newer versions it doesn't seem to reach out to the remote server. We don't see any new logs in the registry container. With v1.28.0 we see the GET transaction.

After more diagnosis, the fetch actually isn't being done on a consistent basis. No packets across the network and the plugin just declares the fetch failed. We are not using self-signed certificates.

[tonimore]

I confirm that 1.28.0 working fine and 1.29.1 doesn't

[RuthAlk]

another confirmation. Glad to have found this work-around, downgrading to 1.28 works.

[danegsta]

1.29.2 that was just pushed to the marketplace yesterday contains fixes to the Accept header used by the extension when connecting to V2 registries. I can't guarantee it will solve all the connection issues being reported, but it's worth testing to see if you're unblocked with the latest release.

[westy]

1.29.2 that was just pushed to the marketplace yesterday contains fixes to the Accept header used by the extension when connecting to V2 registries. I can't guarantee it will solve all the connection issues being reported, but it's worth testing to see if you're unblocked with the latest release.

Hi,

Good to hear updates are being made. Unfortunately this does not solve the self-certificate issue for it, so have had to revert to 1.28.0
Hopefully a future update can sort it.

Cheers

[RuthAlk]

1.29.2 that was just pushed to the marketplace yesterday contains fixes to the Accept header used by the extension when connecting to V2 registries. I can't guarantee it will solve all the connection issues being reported, but it's worth testing to see if you're unblocked with the latest release.

Thanks for the update, but as mentioned above as well, it does not fix the issue with connecting to a docker with self-signed certificate. Reverted to 1.28

[bwateratmsft]

So, it's not a good security practice, but you might be able to work around it by setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 for VSCode before launching it. Node.js has a static list of trusted root certificates; the system certificate store is ignored unfortunately.

A better solution would be to get "real" certificates for the registries, but of course that likely will cost money.

EDIT: see @danegsta's comment just below for a better possible workaround.

[danegsta]

It looks like node also supports trusting a specific certificate by setting the NODE_EXTRA_CA_CERTS environment variable (i.e. NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem). This should hopefully allow you to trust the specific certificate without disabling the certificate trust feature entirely.

[pWoLiAn]

@danegsta @bwateratmsft Can i set this ENV variable(NODE_EXTRA_CA_CERTS) as part of ~/.bashrc? Will the extension be able to pick it up from there?
UPDATE: I'm able to bypass the issue by setting the env in my bashrc(im using ubuntu). Closing since I feel like the issue has served its purpose.

[bwateratmsft]

I'm not familiar enough with Unix to know for sure, you'd have to try it out.

[egoward]

I hit this with my private registry and found a setting in VSCode -

HTTP / Experimental / System Certificates V2
"Controls whether experimental loading of CA certificates from the OS should be enabled..."

I think that basically fixes the odd default behaviour where it trusts a bundle of certs that ship with NodeJS

Also, it would be nice if the real TLS errors appeared somewhere.