Skip to content

[Bug] GitHub Copilot for Eclipse fails behind corporate TLS inspection proxy #319

Description

@HermannGBSL

GitHub Copilot for Eclipse fails behind corporate TLS inspection proxy

Environment

  • OS: Windows x64
  • Eclipse Version: Eclipse IDE 4.40.0.20260604-0652
  • Plugin Version: GitHub Copilot for Eclipse 0.18.0.202605200009

Describe the bug

GitHub Copilot Chat does not work behind a corporate TLS inspection proxy. The model list remains empty and chat requests fail because the bundled copilot-language-server.exe cannot validate the TLS certificate chain.

Eclipse receives the environment variable NODE_EXTRA_CA_CERTS, and a local Node.js HTTPS test works with the same PEM certificate, but the bundled Copilot language server still fails with:

UNABLE_TO_GET_ISSUER_CERT_LOCALLY
unable to get local issuer certificate

To Reproduce

  1. Install GitHub Copilot for Eclipse.
  2. Sign in to GitHub successfully.
  3. Configure a corporate root CA via:
$env:NODE_EXTRA_CA_CERTS="C:\Tmp\geislinger-root-ca.pem"
  1. Start Eclipse from the same PowerShell session:
& "D:\Apps\eclipse\eclipse.exe" -clean
  1. Open:
Help -> About Eclipse IDE -> Installation Details -> Configuration
  1. Verify that Eclipse sees:
NODE_EXTRA_CA_CERTS=C:\Tmp\geislinger-root-ca.pem
  1. Open GitHub Copilot Chat.
  2. The model dropdown remains empty.
  3. Sending a chat message fails.

Expected behavior

The bundled Copilot language server should honor NODE_EXTRA_CA_CERTS and trust the configured corporate root CA. The model list should load and Copilot Chat should function normally.

Screenshots

Screenshots available showing:

  • Empty model dropdown
  • Eclipse configuration showing NODE_EXTRA_CA_CERTS
  • Eclipse Error Log entries
  • Browser certificate chain

Additional context

Corporate TLS inspection is performed by Netwrix Endpoint Protector NetDLP.

The certificate chain presented to the browser is:

SLNBFLHE - Endpoint Protector NetDLP
└── github.com

A local Node.js test with the same PEM certificate succeeds:

Remove-Item Env:NODE_OPTIONS -ErrorAction SilentlyContinue
$env:NODE_EXTRA_CA_CERTS="C:\Tmp\geislinger-root-ca.pem"

node -e "console.log(process.env.NODE_EXTRA_CA_CERTS); require('https').get('https://api.github.com', r => console.log(r.statusCode)).on('error', e => console.error(e.code, e.message))"

Output:

C:\Tmp\geislinger-root-ca.pem
403

The HTTP 403 response confirms that TLS validation succeeds and the connection reaches GitHub.

The Copilot language server used by the plugin is bundled here:

D:\Apps\eclipse\configuration\org.eclipse.osgi\20\0\.cp\copilot-agent\copilot-language-server.exe

Relevant Eclipse Error Log:

[LS:GitHub Copilot Language Server][Error] [ProxyModelService] Failed to fetch proxy models: FetchError: unable to get local issuer certificate
    at fetch (C:\snapshot\cls-source\dist\main.js:1503:30559)
    at process.processTicksAndRejections (node:internal/process/task_queues:103:5)
    at async cachingFetch (C:\snapshot\cls-source\dist\main.js:1503:32639)
    at async EX.fetch (C:\snapshot\cls-source\dist\main.js:3770:43808)
    at async tNe.fetch (C:\snapshot\cls-source\dist\main.js:3895:39961)
    at async C9.fetchModels (C:\snapshot\cls-source\dist\main.js:3205:3140) {
      type: 'system',
      _name: 'FetchError',
      code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
    }

Additional observations

  • Eclipse receives and displays NODE_EXTRA_CA_CERTS correctly.
  • Local Node.js 24.11.0 honors the certificate and can connect to GitHub.
  • The bundled copilot-language-server.exe appears not to honor NODE_EXTRA_CA_CERTS, or uses a different certificate validation mechanism than standard Node.js.
  • As a result, Copilot models cannot be loaded and chat functionality is unavailable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions