Unable to get local issuer certificate


(Johannes Asal) #1

Bug report

Login fails with above error message. Proxy settings are configured as described in the troubleshooting guide. However, the ZScaler proxy used by our company monitors SSL connections by breaking them up with an intermediate root certificate. I already created a new root CA pem file and tried hard to make Inkdrop use it, to no avail. I also tried setting strict-ssl=false in the ipm config which seems to fix the problem for the package manager but not for Inkdrop itself.

Info

  • Platform: Windows
  • Platform version: 10
  • App Version: latest

(Takuya Matsuyama) #2

Hi Johannes,

Do you mean you are using a self-signed certificate?
That’s not recommended though I guess you have no choice to use it - Following pages might be helpful:


(Takuya Matsuyama) #3

I don’t get why ipm works with strict-ssl=true (which should be true by default btw) because that config lets ipm check if your certificate is valid.


(Takuya Matsuyama) #4

Also setting NODE_EXTRA_CA_CERTS in your environment variables would solve the problem, according to this post:


(Johannes Asal) #5

I’m sorry, it should have been strict-ssl=false. I tried the NODE_EXTRA_CA_CERTS way already but it didn’t work. By the way, I have the exact same problem with Atom. Downloading packages via Atom fails with the abovementioned error message whereas apm from the command line works fine as long as strict-ssl is off.


(Takuya Matsuyama) #6

Hmm, basically I can’t allow self-signed certificates with settings like strict-ssl=false because the app has to ensure that our server is valid in order to prevent abuses.
It’s a ZScaler’s problem.


(Johannes Asal) #7

I agree, strict-ssl should be enabled. But that’s not the problem. The problem is that there seems to be no way to inject the ZScaler root certificate into the CA store. The ZScaler certificate is not ‘self-signed’, it is an intermediate certificate that must be trusted. Since I’m on the endpoint of the connection I should be allowed to modify the list of trusted certificates. When the root CA store is setup correctly it will work even with strict-ssl=true.


(Takuya Matsuyama) #8

Well, since it’s difficult to debug in my environment, it seems that you have to solve it by yourself.
Since the app (also Atom) is built with Electron, you can reproduce it on NodeJS.
If NODE_EXTRA_CA_CERTS won’t work, I guess it should be your cert file problem.
Maybe this information about ca certs is helpful:

https://git.coolaj86.com/coolaj86/ssl-root-cas.js#important-try-this-first