use node's built-in CA cert support

samgst-amazon · samgst-amazon · commit 9210fff750cb · 2025-06-17T13:08:09.000-07:00
diff --git a/packages/core/src/shared/lsp/utils/platform.ts b/packages/core/src/shared/lsp/utils/platform.ts
@@ -82,26 +82,14 @@ export async function validateNodeExe(nodePath: string[], lsp: string, args: str
 }
 
 /**
- * Gets Electron settings from VS Code
+ * Gets proxy settings from VS Code's Electron instance
  */
-export function getElectronSettings(): { caCerts?: string; proxyRules?: string; proxyBypassRules?: string } {
+export function getElectronProxySettings(): { proxyRules?: string; proxyBypassRules?: string } {
     try {
         // Access Electron's modules through VSCode's API
         // @ts-ignore - This is a valid access pattern in VSCode extensions
         const electron = require('electron')
-        const result: { caCerts?: string; proxyRules?: string; proxyBypassRules?: string } = {}
-
-        // Get certificates
-        if (electron?.net?.getCACertificates) {
-            const certs = electron.net.getCACertificates()
-            if (certs && certs.length > 0) {
-                // Convert the certificates to PEM format
-                result.caCerts = certs
-                    .map((cert: any) => cert.pemEncoded)
-                    .filter(Boolean)
-                    .join('\n')
-            }
-        }
+        const result: { proxyRules?: string; proxyBypassRules?: string } = {}
 
         // Get proxy settings from Electron
         if (electron?.session?.defaultSession?.getProxyRules) {
@@ -147,23 +135,27 @@ export function createServerOptions({
             Object.assign(processEnv, env)
         }
 
-        // Get Electron settings (certificates and proxy)
-        const electronSettings = getElectronSettings()
+        // Get proxy settings from Electron
+        const proxySettings = getElectronProxySettings()
+
+        // Enable Node.js to use system CA certificates
+        processEnv.NODE_TLS_USE_SYSTEM_CA_STORE = '1'
 
-        // Add system CA certificates to the Node process if not already set
-        if (!processEnv.NODE_EXTRA_CA_CERTS && electronSettings.caCerts) {
-            processEnv.NODE_EXTRA_CA_CERTS = electronSettings.caCerts
+        // Also set NODE_OPTIONS to ensure system CA certificates are used
+        const nodeOptions = processEnv.NODE_OPTIONS || ''
+        if (!nodeOptions.includes('--use-openssl-ca')) {
+            processEnv.NODE_OPTIONS = `${nodeOptions} --use-openssl-ca`.trim()
         }
 
-        // Add Electron proxy settings to the Node process
-        if (electronSettings.proxyRules && !processEnv.HTTP_PROXY) {
-            processEnv.HTTP_PROXY = electronSettings.proxyRules
-            processEnv.HTTPS_PROXY = electronSettings.proxyRules
+        // Add Electron proxy settings to the Node.js process
+        if (proxySettings.proxyRules && !processEnv.HTTP_PROXY) {
+            processEnv.HTTP_PROXY = proxySettings.proxyRules
+            processEnv.HTTPS_PROXY = proxySettings.proxyRules
         }
 
         // Add proxy bypass rules if available
-        if (electronSettings.proxyBypassRules) {
-            processEnv.NO_PROXY = electronSettings.proxyBypassRules
+        if (proxySettings.proxyBypassRules) {
+            processEnv.NO_PROXY = proxySettings.proxyBypassRules
         }
 
         const lspProcess = new ChildProcess(bin, args, {
