Zscaler is used to secure the traffic from the client device to the Internet. But sometime it also block you from accessing resource that should be trusted and considered safe. You may even waste a few hours of time trying to solve the problem before notice that Zscaler is the root cause. This is what happened to me when I was using my Window laptop with a Zscaler client.

The Issues

The first problem I encountered is failing to make connection to Github Copilot through its VSCode plugin. A error message "unable to get local issuer certificate" is shown:

After that, I keep seeing the same error message when I try to run some NPM programs like dbdocs and VSCode extension Dev Containers. It is blocking me from so many useful tool so I finally decided to solve it once for all.

Cause

From the Zscaler page [1]:

Some applications maintain a custom trust store instead of using the default system trust store. As a result, the application is not able to validate Zscaler-generated server certificates and the TLS connection fails. In such cases, the users need to manually add the custom root CA to the custom trust store, or disable server certificate validation.

NPM is one of the application that fall into this case. As VSCode is written with Electron framework, it make senses that the VSCode plugin also required user to set the custom trust store.

Solution

Here we focus on how to set the trust store for NPM and VSCode. From this article [2], we can set the environment variable `NODE_EXTRA_CA_CERTS` to the path of the custom root CA certificate.

For example, in Mac:

export NODE_EXTRA_CA_CERTS=/path/to/RootCa.crt

Make sure you set the environment variable as permanent.

For Mac, edit the ~./bash_profile, .profile or the others profile you are having.

For window, the easy way is the use the Advanced System Settings.

From the GitHub community discussion [3,4] and my own experience, you may need to set both the user and global environment variable.

This should solve most of the issues. However, in some cases, this is not working for the GitHub Copilot VSCode extension. For me, I need to install another VSCode plugin win-ca and set the "Method of injection" to "Append" as suggested in the discussion page [4].

Getting the Root CA Cert

If you don't know where to get a trustworthy root CA cert (just like me 😀), one solution is to download the one you are using from the browser.

For example in Chrome, go to any webpage with HTTPS:

Click to show the certificate:

Choose the root CA and export it:

Reference

[1] Adding Custom Certificate to an Application Specific Trust Store

[2] 在安裝 Zscaler 的電腦上使用 npm 安裝套件時出現無法取得憑證的錯誤

[3] GitHub community - "error: "unable to get local issuer certificate" behind zScaler proxy"

[4] GitHub community -"GitHub Copilot behind a Proxy with a self-signed certificate chain does still not work"