[Bug]: Unexpected CertVerifyProcBuiltin stderr with self-signed certs after upgrading

[flotwig]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a bug report that matches the one I want to file, without success.

Electron Version

18.3.0. Issue appeared starting with 17.0.0-alpha.4 and exists in latest (19.0.4)

What operating system are you using?

Ubuntu

Operating System Version

I am on Ubuntu, but users have reported this with other OS's.

What arch are you using?

x64

Last Known Working Electron version

17.0.0-alpha.3

Expected Behavior

We are passing --ignore-certificate-errors to Electron in Cypress to suppress cert errors for our self-signed HTTPS proxy. This worked fine, and still works fine in new versions of Electron. But after upgrading our Electron version to 18.3.0, users began getting confusing errors in the stderr.

GH Discussion thread: cypress-io/cypress#22128

Sample of unexpected stderr:

[3801:0606/152837.383892:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for www.googletagmanager.com failed:
----- Certificate i=0 (OU=Cypress Proxy Server Certificate,O=Cypress Proxy CA,L=Internet,ST=Internet,C=Internet,CN=www.googletagmanager.com) -----
ERROR: No matching issuer found
[3801:0606/152837.390166:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for cdn.segment.io failed:
----- Certificate i=0 (OU=Cypress Proxy Server Certificate,O=Cypress Proxy CA,L=Internet,ST=Internet,C=Internet,CN=cdn.segment.io) -----
ERROR: No matching issuer found
[3801:0606/152837.847154:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for www.google-analytics.com failed:
----- Certificate i=0 (OU=Cypress Proxy Server Certificate,O=Cypress Proxy CA,L=Internet,ST=Internet,C=Internet,CN=www.google-analytics.com) -----
ERROR: No matching issuer found
[3801:0606/152838.158565:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for rum.browser-intake-datadoghq.com failed:
----- Certificate i=0 (OU=Cypress Proxy Server Certificate,O=Cypress Proxy CA,L=Internet,ST=Internet,C=Internet,CN=rum.browser-intake-datadoghq.com) -----
ERROR: No matching issuer found

I isolated the issue to a change between 17.0.0-alpha.3 and 17.0.0-alpha.4. Based on the 17.0.0-alpha.4 changelog it seems that this Chromium bump is the most likely culprit.

I thought this could be related since it touches this exact area, but it doesn't appear to be in the changelog: #33204

Actual Behavior

I would expect --ignore-certificate-errors to ignore certificate errors fully, so no excess stderr produced because of SSL errors.

Testcase Gist URL

Repro: https://github.com/flotwig/electron-cert-verify-repro

Additional Information

Our current workaround is to filter the stderr and ignore these lines: cypress-io/cypress#22342

[flotwig]

#31982 does seem to touch the same patches #33204 touched, so maybe that's how there was a regression with that Chromium bump.

[vinhnq-1081]

I have the same issue
Help me give the solution, please 🙇

[3801:0606/152837.383892:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for www.googletagmanager.com failed:
----- Certificate i=0 (OU=Cypress Proxy Server Certificate,O=Cypress Proxy CA,L=Internet,ST=Internet,C=Internet,CN=www.googletagmanager.com) -----
ERROR: No matching issuer found

[github-actions]

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

[github-actions]

This issue has been closed due to inactivity, and will not be monitored. If this is a bug and you can reproduce this issue on a supported version of Electron please open a new issue and include instructions for reproducing the issue.

[hishammalik]

bump tested to be happening in 21.0.2 and 21.0.4

[codebytere]

Looks like 87c183d#diff-9f0f1bc931e7ccccf67980972e2f41ba1bb5f08b10f36631a584a7dd532cabba also created some related issues.

[github-actions]

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

[github-actions]

This issue has been closed due to inactivity, and will not be monitored. If this is a bug and you can reproduce this issue on a supported version of Electron please open a new issue and include instructions for reproducing the issue.

[rfricz]

Still happening in Electron 27.1.3. The docs state that calling callback(0) in my ses.setCertificateVerifyProc proc "Indicates success and disables Certificate Transparency verification", yet stderr is still polluted with CertVerifyProcBuiltin errors that I intentionally ignored.

[yizhi166]

bump, still happen, can someone help me take a look at this issue?

[flotwig]

@codebytere looks like this is still impacting users. Can it be reopened?