What happened?
Description
Tool downloads from GitHub fail when running PPTB behind Zscaler (or any corporate SSL inspection proxy), even though GitHub is accessible in the browser.
Environment
- PPTB Version: 1.1.3
- OS: Windows 11
- Corporate proxy: Zscaler (SSL inspection / deep packet inspection enabled)
- Browser GitHub access: Working
Steps to Reproduce
- Install PPTB on a machine behind a Zscaler proxy with SSL inspection enabled.
- Open PPTB and navigate to the Tools section.
- Attempt to browse or install any tool from GitHub.
- Download fails silently or shows a network/connection error.
Expected Behavior
Tools should download successfully, as GitHub is reachable (browser confirms this).
Actual Behavior
Downloads fail. The underlying cause is an SSL certificate verification error. Zscaler
intercepts HTTPS traffic and re-signs it with its own root CA. This CA is installed in
the Windows system certificate store, which browsers trust. However, Node.js (used
internally by Electron for HTTP calls) maintains its own bundled CA store and does NOT
read from the Windows certificate store, so it rejects the Zscaler-signed certificate.
Expected error in logs: CERT_AUTHORITY_INVALID / unable to get local issuer certificate
Suggested Fix
One or more of the following would resolve this:
- Use
NODE_EXTRA_CA_CERTS – Document that users can set this environment variable
to point to the Zscaler root CA .pem file before launching PPTB:
- Use the OS certificate store in Node.js – Integrate a package such as
win-ca or use Electron's net module
(which uses Chromium's network stack and does honour the OS cert store) for all
GitHub API/download calls instead of Node's https module.
This is a common issue for Electron apps in enterprise environments. Related prior art:
What version of the PPTB are you using?
1.1.3
Relevant log output
What happened?
Description
Tool downloads from GitHub fail when running PPTB behind Zscaler (or any corporate SSL inspection proxy), even though GitHub is accessible in the browser.
Environment
Steps to Reproduce
Expected Behavior
Tools should download successfully, as GitHub is reachable (browser confirms this).
Actual Behavior
Downloads fail. The underlying cause is an SSL certificate verification error. Zscaler
intercepts HTTPS traffic and re-signs it with its own root CA. This CA is installed in
the Windows system certificate store, which browsers trust. However, Node.js (used
internally by Electron for HTTP calls) maintains its own bundled CA store and does NOT
read from the Windows certificate store, so it rejects the Zscaler-signed certificate.
Expected error in logs:
CERT_AUTHORITY_INVALID/unable to get local issuer certificateSuggested Fix
One or more of the following would resolve this:
NODE_EXTRA_CA_CERTS– Document that users can set this environment variableto point to the Zscaler root CA
.pemfile before launching PPTB:win-caor use Electron'snetmodule(which uses Chromium's network stack and does honour the OS cert store) for all
GitHub API/download calls instead of Node's
httpsmodule.This is a common issue for Electron apps in enterprise environments. Related prior art:
win-ca/ system certificate store integrationWhat version of the PPTB are you using?
1.1.3
Relevant log output