Skip to content

feat: use system CAs in language server

Tristan Readrequested to merge
tr/use-systems-ca-language-server into main

Description

This change sends the --use-system-ca flag to the Language Server node process, when the NodeJS version is detected to be high enough. This instructs the language server to load system CAs when performing https operations.

(Note: The VS Code Extension already seems to load systems CAs, I suspect through the use of the electron network stack, flags passed in by the host process (VS Code), or by the sharing of the node process across extensions. Not 100% which but it's not relevant here.)

We don't define the NodeJS version - we get whatever the VS Code instance has embedded in it (via its Electron dependency). We currently support versions of VS Code that ship with NodeJS versions from before the flag was supported, thus the version check is required before providing the arg.

Related Issues

Issue: #2077

How has this been tested?

1. (optional) Verify the flag behavior on different NodeJS versions

Clone this repo and follow the README instructions: https://gitlab.com/tristan.read/test-node-flags

This verifies that passing the --use-system-ca flag is allowed for NodeJS versions 22.15.0 and above, but throws an error for versions below this.

2. Certificate setup

  1. Set up GDK using nginx + https (https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/nginx.md).
  2. Ensure that the mkcert certificate is installed (mkcert -install, and trusted (see https://docs.gitlab.com/editor_extensions/visual_studio_code/ssl/).
  3. Run the GDK.
  4. Create a project on the GDK and check it out locally.
  5. Open the local repository in VS Code.
  6. Run GitLab: Authenticate and input the GDK url (e.g. https://gdk.test:3443/). Complete the auth using a new or existing PAT.
    • Tip: To reduce confusion when testing - remove all other accounts from VS Code.
  7. Ensure that VS Code has no gitlab.ca, gitlab.cert, or gitlab.certKey settings enabled, either in user or workspace settings.

3. VS Code setup

We'll want to test VS Code with different NodeJS versions. To do so we'll download two older VS Code editions.

Tip: Give these unique names such as "Visual Studio Code v1.100.3".
Tip: You can run Open -> About Visual Studio Code to see the bundled NodeJS and Electron versions.
Tip: The extension doesn't activate unless the VS Code app is moved out of Downloads (on MacOS). Not sure why, but this error will show up in the extension host logs if you try it and seems to prevent the extension from activating.
Tip: These downloaded versions are set to auto-update by default, watch out that you still have the right version after closing and opening.

  1. Close all VS Code instances.
  2. Open Visual Studio Code v1.100.3.
  3. Open the VS Code Extension project, checked out to the existing branch.
  4. Go to "Run and Debug" and select "Run Extension".
  5. In the Test Extension Host, open the locally checked out project from earlier.
    • If navigating here for the first time, close and rerun the Test Extension Host because changing folders will cause it to detach from the runner.
  6. View the GitLab Workflow logs.
  7. You should see some auth errors relating to token checks in the Language Server.
    • 2025-10-24T16:10:38:314 [warning]: [auth] Token validation failed in Language Server: (Token is invalid. Token validation failed: Error: request to https://gdk.test:3443/api/v4/personal_access_tokens/self failed, reason: unable to verify the first certificate. Reason: unknown). This can happen during OAuth token refresh.
  8. Apart from LS functionality, the extension should work correctly, e.g. viewing the assigned MRs.

Now we'll test with a newer version of NodeJS

  1. Close all VS Code instances.
  2. Open Visual Studio Code v1.101.2.
  3. Open the VS Code Extension project, checked out to the existing branch.
  4. Go to "Run and Debug" and select "Run Extension".
  5. The locally checked out project from earlier should open.
  6. View the GitLab Workflow logs.
  7. You should see NO auth errors relating to token checks in the Language Server.
    • 2025-10-24T16:13:03:954 [debug]: [auth] Syncing account credentials to language server (https://gdk.test:3443|1 - jolly-gorilla)
  8. Language Server functionality should now work (e.g. Code Suggestions or Duo Chat, if you GDK is configured with Duo features).

Previously, this last test would also fail, since the Language Server only had access to bundled CAs, which did not include the self-signed mkcert CA that is trusted by the system.

  • If src/browser or src/common has been modified, please consider interoperability with the Web IDE. See Running the Extension in WebIDE.
  • Consider an end-to-end test for significant new features that aren't covered by integration tests.

Screenshots (if appropriate)

What CHANGELOG entry will this MR create?

  • fix: Bug fix fixes - a user-facing issue in production - included in changelog
  • feature: New feature - a user-facing change which adds functionality - included in changelog
  • BREAKING CHANGE: (fix or feature that would cause existing functionality to change) - should bump major version, mentioned in the changelog
  • None - other non-user-facing changes
Edited by Tristan Read

Merge request reports