Login fails with above error message. Proxy settings are configured as described in the troubleshooting guide. However, the ZScaler proxy used by our company monitors SSL connections by breaking them up with an intermediate root certificate. I already created a new root CA pem file and tried hard to make Inkdrop use it, to no avail. I also tried setting strict-ssl=false in the ipm config which seems to fix the problem for the package manager but not for Inkdrop itself.
Do you mean you are using a self-signed certificate?
That’s not recommended though I guess you have no choice to use it - Following pages might be helpful:
I’m sorry, it should have been strict-ssl=false. I tried the NODE_EXTRA_CA_CERTS way already but it didn’t work. By the way, I have the exact same problem with Atom. Downloading packages via Atom fails with the abovementioned error message whereas apm from the command line works fine as long as strict-ssl is off.
Hmm, basically I can’t allow self-signed certificates with settings like strict-ssl=false because the app has to ensure that our server is valid in order to prevent abuses.
It’s a ZScaler’s problem.
I agree, strict-ssl should be enabled. But that’s not the problem. The problem is that there seems to be no way to inject the ZScaler root certificate into the CA store. The ZScaler certificate is not ‘self-signed’, it is an intermediate certificate that must be trusted. Since I’m on the endpoint of the connection I should be allowed to modify the list of trusted certificates. When the root CA store is setup correctly it will work even with strict-ssl=true.
Well, since it’s difficult to debug in my environment, it seems that you have to solve it by yourself.
Since the app (also Atom) is built with Electron, you can reproduce it on NodeJS.
If NODE_EXTRA_CA_CERTS won’t work, I guess it should be your cert file problem.
Maybe this information about ca certs is helpful:
To resolve the NODE_EXTRA_CA_CERTS error, make sure you provide the correct path to the CA certificate file in the environment variable. For example, set NODE_EXTRA_CA_CERTS to the file path using export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pem in your terminal. This allows Node.js to use the specified CA certificates for SSL/TLS connections. Ensure the certificate file is valid and accessible by your application.
To know more about this NODE_EXTRA_CA_CERTS` error checkout [https://cheapsslweb.com/blog/fixing-unable-to-get-issuer-cert-locally-error/]
The error occurs because ZScaler intercepts SSL connections using its own root certificate, which Inkdrop doesn’t trust. First, try importing the ZScaler root CA certificate into your system’s trusted certificate store. If that doesn’t work, manually specify the certificate path by setting NODE_EXTRA_CA_CERTS=path/to/zscaler.pem in your environment variables. Also, try launching Inkdrop with strict-ssl=false, though this may reduce security. If the issue persists, check if Inkdrop allows custom certificate configurations. For more SSL insights, visit:- https://certera.com/kb/how-to-fix-ssl-certificate-problem-unable-to-get-local-issuer-certificate/