Skip to content

fix(amazonq): tweak CA resolution and add additional logging #5815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 12, 2025
Merged

fix(amazonq): tweak CA resolution and add additional logging #5815

merged 6 commits into from
Jun 12, 2025

Conversation

rli
Copy link
Contributor

@rli rli commented Jun 11, 2025

Instead of trying to intelligently select the specific custom CA needed to connect to Amazon Q, just send all IDE trust anchors along to Flare.

Additionally, if user already defines NODE_EXTRA_CA_CERTS, use it directly and noop our logic

2025-06-11 15:29:58,126 [   5616]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Trust chain for https://q.us-east-1.amazonaws.com/ ends with public-like CA with sha256 fingerprint: 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5
2025-06-11 15:29:58,618 [   6108]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Trust chain for https://q.eu-central-1.amazonaws.com/ ends with public-like CA with sha256 fingerprint: 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5
2025-06-11 15:29:58,868 [   6358]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Trust chain for https://codewhisperer.us-east-1.amazonaws.com/ ends with public-like CA with sha256 fingerprint: 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5

2025-06-11 15:31:17,563 [  85053]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Trust chain for https://q.us-east-1.amazonaws.com/ transits private CA:
Issuer: O=mitmproxy, CN=mitmproxy,Subject: CN=q.us-east-1.amazonaws.com,Fingerprint: 78fcf2780d6ae65d41b3adb2ef46aebd2586e2037ca2fd7232bf4d1b1bbd3ac4
	Issuer: O=mitmproxy, CN=mitmproxy,Subject: O=mitmproxy, CN=mitmproxy,Fingerprint: d01cc3dbb35db82cec01cb221d81fa7d4b2a7280a88bd3e1f961c402c76a67e0
	
2025-06-11 15:31:18,085 [  85575]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Trust chain for https://q.eu-central-1.amazonaws.com/ transits private CA:
Issuer: O=mitmproxy, CN=mitmproxy,Subject: CN=q.eu-central-1.amazonaws.com,Fingerprint: 840b8421cd4945f2fb6da4c4add7651845c0e4752941cca48826eb826b00f054
	Issuer: O=mitmproxy, CN=mitmproxy,Subject: O=mitmproxy, CN=mitmproxy,Fingerprint: d01cc3dbb35db82cec01cb221d81fa7d4b2a7280a88bd3e1f961c402c76a67e0
	
2025-06-11 15:31:18,345 [  85835]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Trust chain for https://codewhisperer.us-east-1.amazonaws.com/ transits private CA:
Issuer: O=mitmproxy, CN=mitmproxy,Subject: CN=codewhisperer.us-east-1.amazonaws.com,Fingerprint: 4c3dbf4a7e91627b01158a83ae05773d9aef06190bbccdaf219f5677349a7861
	Issuer: O=mitmproxy, CN=mitmproxy,Subject: O=mitmproxy, CN=mitmproxy,Fingerprint: d01cc3dbb35db82cec01cb221d81fa7d4b2a7280a88bd3e1f961c402c76a67e0

2025-06-11 15:53:16,734 [   7324]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Injecting 119 trusted certificates (1 from IDE custom manager) into NODE_EXTRA_CA_CERTS
2025-06-11 15:53:16,750 [   7340]   INFO - software.aws.toolkits.jetbrains.services.amazonq.lsp.AmazonQServerInstance - Starting Flare with NODE_EXTRA_CA_CERTS: /var/folders/qp/tj7sfstn0qb5nl6vg9t47qg40000gq/T/q-extra-ca14146856742507934480.pem

License

I confirm that my contribution is made under the terms of the Apache 2.0 license.

@rli
fix(amazonq): tweak CA resolution and add additional logging
3fee35a 
Instead of trying to intelligently select the specific custom CA needed to connect to Amazon Q,
just send all IDE trust anchors along to Flare.

Additionally, if user already defines NODE_EXTRA_CA_CERTS, use it directly and noop our logic
@rli rli requested a review from a team as a code owner June 11, 2025 23:00
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 11, 2025
edited
Loading

Qodana Community for JVM

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

@rli rli merged commit a0196f5 into main Jun 12, 2025
14 of 16 checks passed
@rli rli deleted the rli/certs-tweak branch June 12, 2025 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manodnyab manodnyab manodnyab approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rli @manodnyab