[BUG] 2.1.193 VS Code extension (Windows, native): OAuth login fails "certificate has expired" — regression from 2.1.190
What's Wrong?
On Windows with native VS Code (not Remote-WSL), the Claude Code VS Code extension 2.1.193 fails OAuth login/refresh for a claude.ai subscription with Error: certificate has expired.
The browser half of sign-in completes, but when the extension exchanges/refreshes the token it fails. Downgrading the extension to 2.1.190 fixes it immediately, so this is a regression.
The failing endpoints are platform.claude.com (/v1/oauth/token) and claude.com, which use Let's Encrypt certificates. api.anthropic.com (Google Trust Services) is unaffected, so normal API calls keep working while only login/OAuth-refresh fails.
What Should Happen?
OAuth login and token refresh should succeed in 2.1.193 exactly as they do in 2.1.190. The Let's Encrypt chain for platform.claude.com / claude.com should validate against the valid ISRG Root X1 instead of failing on the long-expired DST Root CA X3.
Error Messages / Logs
[ERROR] OAuth refresh failed (expected): certificate has expired
[INFO] claude_authenticate flow ended: Error: certificate has expired
[error] Error processing client request: Error: certificate has expired
# CA agent the extension builds (from its own debug log):
[DEBUG] CA certs: stores=bundled,system, extraCertsPath=undefined
[DEBUG] CA certs: Loaded 120 bundled root certificates
[DEBUG] CA certs: Loaded 331 system CA certificates
[DEBUG] mTLS: Creating HTTPS agent with custom certificates
Steps to Reproduce
- A Windows machine whose certificate store still contains the expired
DST Root CA X3(notAfter 2021-09-30) alongside a validISRG Root X1(common — Windows ships X3 for legacy compatibility). - Install the Claude Code VS Code extension 2.1.193 (
anthropic.claude-code-2.1.193-win32-x64) on native Windows VS Code (not Remote-WSL). - Sign out / let the OAuth token expire, then sign in with a claude.ai (Pro/Max) account.
- The browser sign-in completes, but the extension errors:
claude_authenticate flow ended: Error: certificate has expired.
Works under Remote-WSL (Linux extension host). Reverting the extension to 2.1.190 fixes it.
Root-cause Analysis & Additional Information
Root-cause analysis (local investigation):
The OAuth/login hosts use Let's Encrypt; the API host uses Google Trust Services:
| Host | Chain | Result |
|---|---|---|
| platform.claude.com (token endpoint) | leaf ← YE1 ← ISRG Root X2 ← ISRG Root X1 (Let's Encrypt) | fails |
| claude.com | leaf ← E7 ← ISRG Root X1 (Let's Encrypt) | fails |
| api.anthropic.com | leaf ← WE1 ← GTS Root R4 ← GlobalSign Root CA (Google) | works |
The affected Windows trust store contains the expired DST Root CA X3 (notAfter 2021-09-30) next to a valid self-signed ISRG Root X1. The error is strictly CERT_HAS_EXPIRED, and it occurs only on the Let's Encrypt OAuth hosts, never on the Google API host. The most consistent explanation: 2.1.193's OAuth client builds the Let's Encrypt chain up to the expired DST Root CA X3 cross-sign instead of terminating at the valid self-signed ISRG Root X1 (the classic post-2021 Let's Encrypt pitfall). 2.1.190 does not.
The general API client validates those same Let's Encrypt hosts fine (verified by pointing ANTHROPIC_BASE_URL=https://claude.com — TLS succeeds, only HTTP differs). So only the OAuth/login code path regressed — it appears not to prefer the self-signed ISRG Root X1 (e.g. missing X509_V_FLAG_TRUSTED_FIRST-equivalent) when the system store contains both roots.
Ruled out — not a corporate proxy / MITM issue: the machine runs ESET with SSL/TLS protocol filtering, but ESET does not intercept the bundled claude.exe/Node (they see the real Let's Encrypt chain), and adding the ESET root via NODE_EXTRA_CA_CERTS does not help.
Workarounds: (a) downgrade the extension to 2.1.190; or (b) remove/distrust the expired DST Root CA X3 from the Windows certificate store (keeping ISRG Root X1).
Environment: Windows 10 x64, native VS Code (Windows extension host); bundled native claude.exe (Bun runtime); also Node v22.12 present.
---
Metadata
- Is this a regression? Yes — last working version 2.1.190, broken in 2.1.193.
- Claude Code version:
2.1.193 (Claude Code)— VS Code extensionanthropic.claude-code-2.1.193-win32-x64. - Platform: Anthropic API.
- OS: Windows 10 x64 — native VS Code (Windows extension host). Works under Remote-WSL.
- Terminal: VS Code.