GitHub Copilot for Eclipse fails behind corporate TLS inspection proxy
Environment
- OS: Windows x64
- Eclipse Version: Eclipse IDE 4.40.0.20260604-0652
- Plugin Version: GitHub Copilot for Eclipse 0.18.0.202605200009
Describe the bug
GitHub Copilot Chat does not work behind a corporate TLS inspection proxy. The model list remains empty and chat requests fail because the bundled copilot-language-server.exe cannot validate the TLS certificate chain.
Eclipse receives the environment variable NODE_EXTRA_CA_CERTS, and a local Node.js HTTPS test works with the same PEM certificate, but the bundled Copilot language server still fails with:
UNABLE_TO_GET_ISSUER_CERT_LOCALLY
unable to get local issuer certificate
To Reproduce
- Install GitHub Copilot for Eclipse.
- Sign in to GitHub successfully.
- Configure a corporate root CA via:
$env:NODE_EXTRA_CA_CERTS="C:\Tmp\geislinger-root-ca.pem"
- Start Eclipse from the same PowerShell session:
& "D:\Apps\eclipse\eclipse.exe" -clean
- Open:
Help -> About Eclipse IDE -> Installation Details -> Configuration
- Verify that Eclipse sees:
NODE_EXTRA_CA_CERTS=C:\Tmp\geislinger-root-ca.pem
- Open GitHub Copilot Chat.
- The model dropdown remains empty.
- Sending a chat message fails.
Expected behavior
The bundled Copilot language server should honor NODE_EXTRA_CA_CERTS and trust the configured corporate root CA. The model list should load and Copilot Chat should function normally.
Screenshots
Screenshots available showing:
- Empty model dropdown
- Eclipse configuration showing
NODE_EXTRA_CA_CERTS
- Eclipse Error Log entries
- Browser certificate chain
Additional context
Corporate TLS inspection is performed by Netwrix Endpoint Protector NetDLP.
The certificate chain presented to the browser is:
SLNBFLHE - Endpoint Protector NetDLP
└── github.com
A local Node.js test with the same PEM certificate succeeds:
Remove-Item Env:NODE_OPTIONS -ErrorAction SilentlyContinue
$env:NODE_EXTRA_CA_CERTS="C:\Tmp\geislinger-root-ca.pem"
node -e "console.log(process.env.NODE_EXTRA_CA_CERTS); require('https').get('https://api.github.com', r => console.log(r.statusCode)).on('error', e => console.error(e.code, e.message))"
Output:
C:\Tmp\geislinger-root-ca.pem
403
The HTTP 403 response confirms that TLS validation succeeds and the connection reaches GitHub.
The Copilot language server used by the plugin is bundled here:
D:\Apps\eclipse\configuration\org.eclipse.osgi\20\0\.cp\copilot-agent\copilot-language-server.exe
Relevant Eclipse Error Log:
[LS:GitHub Copilot Language Server][Error] [ProxyModelService] Failed to fetch proxy models: FetchError: unable to get local issuer certificate
at fetch (C:\snapshot\cls-source\dist\main.js:1503:30559)
at process.processTicksAndRejections (node:internal/process/task_queues:103:5)
at async cachingFetch (C:\snapshot\cls-source\dist\main.js:1503:32639)
at async EX.fetch (C:\snapshot\cls-source\dist\main.js:3770:43808)
at async tNe.fetch (C:\snapshot\cls-source\dist\main.js:3895:39961)
at async C9.fetchModels (C:\snapshot\cls-source\dist\main.js:3205:3140) {
type: 'system',
_name: 'FetchError',
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
Additional observations
- Eclipse receives and displays
NODE_EXTRA_CA_CERTS correctly.
- Local Node.js 24.11.0 honors the certificate and can connect to GitHub.
- The bundled
copilot-language-server.exe appears not to honor NODE_EXTRA_CA_CERTS, or uses a different certificate validation mechanism than standard Node.js.
- As a result, Copilot models cannot be loaded and chat functionality is unavailable.
GitHub Copilot for Eclipse fails behind corporate TLS inspection proxy
Environment
Describe the bug
GitHub Copilot Chat does not work behind a corporate TLS inspection proxy. The model list remains empty and chat requests fail because the bundled
copilot-language-server.execannot validate the TLS certificate chain.Eclipse receives the environment variable
NODE_EXTRA_CA_CERTS, and a local Node.js HTTPS test works with the same PEM certificate, but the bundled Copilot language server still fails with:To Reproduce
Expected behavior
The bundled Copilot language server should honor
NODE_EXTRA_CA_CERTSand trust the configured corporate root CA. The model list should load and Copilot Chat should function normally.Screenshots
Screenshots available showing:
NODE_EXTRA_CA_CERTSAdditional context
Corporate TLS inspection is performed by Netwrix Endpoint Protector NetDLP.
The certificate chain presented to the browser is:
A local Node.js test with the same PEM certificate succeeds:
Output:
The HTTP 403 response confirms that TLS validation succeeds and the connection reaches GitHub.
The Copilot language server used by the plugin is bundled here:
Relevant Eclipse Error Log:
Additional observations
NODE_EXTRA_CA_CERTScorrectly.copilot-language-server.exeappears not to honorNODE_EXTRA_CA_CERTS, or uses a different certificate validation mechanism than standard Node.js.