[BUG] 2.1.193 VS Code extension (Windows, native): OAuth login fails "certificate has expired" — regression from 2.1.190

Resolved 💬 0 comments Opened Jun 26, 2026 by j3-solutions Closed Jun 26, 2026

What's Wrong?

On Windows with native VS Code (not Remote-WSL), the Claude Code VS Code extension 2.1.193 fails OAuth login/refresh for a claude.ai subscription with Error: certificate has expired.

The browser half of sign-in completes, but when the extension exchanges/refreshes the token it fails. Downgrading the extension to 2.1.190 fixes it immediately, so this is a regression.

The failing endpoints are platform.claude.com (/v1/oauth/token) and claude.com, which use Let's Encrypt certificates. api.anthropic.com (Google Trust Services) is unaffected, so normal API calls keep working while only login/OAuth-refresh fails.

What Should Happen?

OAuth login and token refresh should succeed in 2.1.193 exactly as they do in 2.1.190. The Let's Encrypt chain for platform.claude.com / claude.com should validate against the valid ISRG Root X1 instead of failing on the long-expired DST Root CA X3.

Error Messages / Logs

[ERROR] OAuth refresh failed (expected): certificate has expired
[INFO]  claude_authenticate flow ended: Error: certificate has expired
[error] Error processing client request: Error: certificate has expired

# CA agent the extension builds (from its own debug log):
[DEBUG] CA certs: stores=bundled,system, extraCertsPath=undefined
[DEBUG] CA certs: Loaded 120 bundled root certificates
[DEBUG] CA certs: Loaded 331 system CA certificates
[DEBUG] mTLS: Creating HTTPS agent with custom certificates

Steps to Reproduce

  1. A Windows machine whose certificate store still contains the expired DST Root CA X3 (notAfter 2021-09-30) alongside a valid ISRG Root X1 (common — Windows ships X3 for legacy compatibility).
  2. Install the Claude Code VS Code extension 2.1.193 (anthropic.claude-code-2.1.193-win32-x64) on native Windows VS Code (not Remote-WSL).
  3. Sign out / let the OAuth token expire, then sign in with a claude.ai (Pro/Max) account.
  4. The browser sign-in completes, but the extension errors: claude_authenticate flow ended: Error: certificate has expired.

Works under Remote-WSL (Linux extension host). Reverting the extension to 2.1.190 fixes it.

Root-cause Analysis & Additional Information

Root-cause analysis (local investigation):

The OAuth/login hosts use Let's Encrypt; the API host uses Google Trust Services:

| Host | Chain | Result |
|---|---|---|
| platform.claude.com (token endpoint) | leaf ← YE1ISRG Root X2ISRG Root X1 (Let's Encrypt) | fails |
| claude.com | leaf ← E7ISRG Root X1 (Let's Encrypt) | fails |
| api.anthropic.com | leaf ← WE1GTS Root R4GlobalSign Root CA (Google) | works |

The affected Windows trust store contains the expired DST Root CA X3 (notAfter 2021-09-30) next to a valid self-signed ISRG Root X1. The error is strictly CERT_HAS_EXPIRED, and it occurs only on the Let's Encrypt OAuth hosts, never on the Google API host. The most consistent explanation: 2.1.193's OAuth client builds the Let's Encrypt chain up to the expired DST Root CA X3 cross-sign instead of terminating at the valid self-signed ISRG Root X1 (the classic post-2021 Let's Encrypt pitfall). 2.1.190 does not.

The general API client validates those same Let's Encrypt hosts fine (verified by pointing ANTHROPIC_BASE_URL=https://claude.com — TLS succeeds, only HTTP differs). So only the OAuth/login code path regressed — it appears not to prefer the self-signed ISRG Root X1 (e.g. missing X509_V_FLAG_TRUSTED_FIRST-equivalent) when the system store contains both roots.

Ruled out — not a corporate proxy / MITM issue: the machine runs ESET with SSL/TLS protocol filtering, but ESET does not intercept the bundled claude.exe/Node (they see the real Let's Encrypt chain), and adding the ESET root via NODE_EXTRA_CA_CERTS does not help.

Workarounds: (a) downgrade the extension to 2.1.190; or (b) remove/distrust the expired DST Root CA X3 from the Windows certificate store (keeping ISRG Root X1).

Environment: Windows 10 x64, native VS Code (Windows extension host); bundled native claude.exe (Bun runtime); also Node v22.12 present.

---

Metadata

  • Is this a regression? Yes — last working version 2.1.190, broken in 2.1.193.
  • Claude Code version: 2.1.193 (Claude Code) — VS Code extension anthropic.claude-code-2.1.193-win32-x64.
  • Platform: Anthropic API.
  • OS: Windows 10 x64 — native VS Code (Windows extension host). Works under Remote-WSL.
  • Terminal: VS Code.

View original on GitHub ↗