Help me please - Self-signed Certificate Issue - capath undefined

[dariocs]

Self-signed Certificate Issue - capath undefined and ignoreCertificateErrors not working

Environment

• VS Code Version: 1.107.0
• OS: Windows
• Extension: Code for IBM i
• IBM i Host: AS400.IT
• Debug Port: 8006
• Connection: Secure (TLS/SSL)

Problem Description

This issue started suddenly 4 days ago*. Until then, everything was working correctly for all users.

Current situation:

• 3 users: SEP works correctly, capath is populated with the correct certificate path
• 4 users (including myself): SEP fails with certificate error, capath shows "undefined"

When attempting to set a Service Entry Point (SEP), I encounter a self-signed certificate error. The Debug Console shows the following connection settings:

Connection settings: { 'host': 'AS400.IT', 'port': 8006, 'secure': true, 'capath': 'undefined', 'ignoreCertificateErrors': false, 'TLS_Version': undefined }
EQAVS1007E AS400.IT on port 8006 could not be connected.
Message received: self signed certificate in certificate chain

## Issues Identified

1. **`capath` field is "undefined"**
   - According to documentation: "If the capath field is undefined, update your Code for IBM i extension to a newer level"
   - The client certificate path is not being resolved

2. **`ignoreCertificateErrors` shows `false`**
   - Despite setting it to `true` in configuration, it still appears as `false` in connection settings
   - This causes certificate validation failures with self-signed certificates

## Configuration Applied

In `settings.json` under `code-for-ibmi.connectionSettings`:

```json
{
  "debugPort": "8006",
  "debugSecure": true,
  "debugUpdateProductionFiles": true,
  "debugEnableDebugTracing": true,
  "debugIsSecure": true,
  "debugIgnoreCertificateErrors": true,
  "ignoreCertificateErrors": true,
  "debugCertDirectory": "/QIBM/UserData/IBMiDebugService/certs"
}

Steps to Reproduce

1. Configure Code for IBM i connection to IBM i system with self-signed certificate
2. Set ignoreCertificateErrors: true in connection settings
3. Attempt to set a Service Entry Point (SEP)
4. Check Debug Console for "Connection settings" output
5. Observe that capath is "undefined" and ignoreCertificateErrors is false

Expected Behavior

• capath should contain the fully qualified path to the client certificate
• ignoreCertificateErrors should be true as configured
• SEP should be set successfully without certificate errors

Actual Behavior

• capath remains "undefined"
• ignoreCertificateErrors shows false despite configuration
• Certificate validation fails when setting SEP

Network Connectivity

Network connectivity test shows successful connection:

Test-NetConnection -ComputerName AS400.it -Port 8006
TcpTestSucceeded : True

Client Certificate Status

The client certificate exists at the correct location and it's the same on server:

C:\Users\myuser\as400.it_debug_service.crt

According to VS Code documentation: "To debug on IBM i, Visual Studio Code needs to load a client certificate to connect to the Debug Service. Each server has a unique certificate. This client certificate should exist at C:\Users\myuser\as400.it_debug_service.crt"

The certificate file is present, yet the capath field still shows "undefined" in the Debug Console connection settings. This suggests the extension is not detecting or loading the certificate properly.

Questions

Are there any additional configuration steps required for self-signed certificates in debug operations?

Server Certificate Information

On the IBM i host, the following files exist:

• /QIBM/UserData/IBMIDEBUGSERVICE/TrustStore
• /QIBM/UserData/IBMIDEBUGSERVICE/certs/debug_service.crt

Requested Assistance

• How to properly configure certificate handling for SEP operations?
• Why is capath not being populated despite having the certificate on the server?
• Which configuration setting correctly controls certificate validation bypass for debug/SEP operations?

Context	Version
Code for IBM i version	2.18.0
Visual Studio Code version	1.107.0
Operating System	win32_x64

Active extensions

Browse Lite (browse-lite): 0.3.9
CL (vscode-clle): 1.1.8
COBOL (cobol): 25.12.14
Code for IBM i Spooled Files (vscode-ibmi-userspooledfiles): 1.2.5
Code for IBM i Walkthroughs (vscode-ibmi-walkthroughs): 0.5.0
Configuration Editing (configuration-editing): 1.0.0
Db2 for IBM i (vscode-db2i): 1.15.1
Debugger for Java (vscode-java-debug): 0.58.4
ESLint (vscode-eslint): 3.0.20
Emmet (emmet): 1.0.0
Error Lens (errorlens): 3.26.0
Excel Viewer (gc-excelviewer): 4.2.64
Extension Authoring (extension-editing): 1.0.0
Git (git): 1.0.0
Git Base (git-base): 1.0.0
GitHub (github): 0.0.1
GitHub Authentication (github-authentication): 0.0.2
GitHub Copilot Chat (copilot-chat): 0.35.0
IBM i Debug (ibmidebug): 3.0.2
IBM i Notebooks (vscode-ibmi-notebooks): 0.0.6
IBM i Project Explorer (vscode-ibmi-projectexplorer): 2.12.3
IBM i Testing (vscode-ibmi-testing): 1.2.3
JSON Language Features (json-language-features): 1.0.0
Java (oracle-java): 25.0.0
JavaScript Debugger (js-debug): 1.105.0
Language Support for Java(TM) by Red Hat (java): 1.50.0
Live Server (LiveServer): 5.7.9
Merge Conflict (merge-conflict): 1.0.0
Microsoft Account (microsoft-authentication): 0.0.1
NPM support for VS Code (npm): 1.0.1
Node Debug Auto-attach (debug-auto-launch): 1.0.0
Path Intellisense (path-intellisense): 2.10.0
Pylance (vscode-pylance): 2025.10.100
Python (python): 2025.20.0
Python Debugger (debugpy): 2025.17.2025121601
Python Environments (vscode-python-envs): 1.15.13491016
RPGLE (vscode-rpgle): 0.33.3
Server Ready Action (debug-server-ready): 1.0.0
Source Orbit (vscode-sourceorbit): 1.4.1
TODO Highlight (vscode-todo-highlight): 1.0.5
Terminal Suggest for VS Code (terminal-suggest): 1.0.1
TypeScript and JavaScript Language Features (typescript-language-features): 1.0.0

---

Remote system

Setting	Value
IBM i OS	V7R5M0
Tech Refresh	5
CCSID Origin	65535
Runtime CCSID	1144
Default CCSID	1144
SSHD CCSID	?
cqsh	true
SQL	Enabled
Source dates	Enabled

Enabled features

/QOpenSys/pkgs/bin	/usr/bin	/QSYS.lib/ILEDITOR.lib	/QSYS.LIB	/QIBM/ProdData/IBMiDebugService/bin	/QOpenSys/QIBM/ProdData/JavaVM/jdk80	/QOpenSys/QIBM/ProdData/JavaVM/jdk11	/QOpenSys/QIBM/ProdData/JavaVM/jdk17
bash	attr	GETNEWLIBL.PGM	QZDFMDB2.PGM	startDebugService.sh	64bit	64bit	64bit
chsh	iconv
find	setccsid
git	uname
grep
ls
md5sum
pfgrep
sort
stat
tar
tn5250

[dariocs]

--UPDATE--

Despite having a valid SSL/TLS certificate and correctly setting the DEBUG_CA_PATH environment variable, the IBM i Debug extension (version 3.0.2) fails to establish secure connections when creating Service Entry Points. The connection fails with certificate-related errors for unexplained reasons.

Environment Details
Certificate: Valid and properly configured
Environment Variable: DEBUG_CA_PATH is correctly set to the certificate path

#Expected Behavior
When DEBUG_CA_PATH is properly configured with a valid certificate, the extension should:

Read the certificate from the specified path
Use it to establish a secure TLS connection
Successfully create Service Entry Points without certificate errors
Actual Behavior
The extension fails throws certificate-related errors, even though:

The certificate file exists and is valid
The DEBUG_CA_PATH environment variable points to the correct certificate location
The certificate works correctly when certificate validation is disabled

#Workaround Found
The issue can be resolved by modifying the extension's compiled JavaScript files to always set ignoreCertificateErrors: true:

Files modified:

extension.js - Changed all occurrences of ignoreCertificateErrors:!1 to ignoreCertificateErrors:!0
debugAdapter.js - Changed all occurrences of ignoreCertificateErrors:!1 to ignoreCertificateErrors:!0

After these modifications, everything works correctly, which confirms:

The connection itself is functional
The certificate is valid
The issue is specifically with how the extension handles certificate validation when DEBUG_CA_PATH is set

[dariocs]

To partially address the issue, I created this pull request:
codefori/vscode-ibmi#3011