Unable to check for update or sync - employer firewall?

I can sync files using OneDrive on iOS & personal Mac. Unable to sync Windows 10 PC at work, gives the following message when I check for update:

request to [github url] failed, reason: unable to get local issuer certificate.

And sync error messages like the one below consistently appear over the “synchronize” button in the bottom left corner:

Last error: FetchError: request to [url] failed, reason: unable to get local issuer certificate

///

Any suggestions or workarounds would be helpful. Many thanks.

Welcome to the forum @jasonian

I’m not a dev just a user.

Can I clarify something in your post above? Are you trying to sync your work PC with OneDrive and getting an error relating to a GitHub URL?

When attempting to sync, the url was a onedrive url. When using “check for updates,” the url was a github url. The common failure in each event is the inability “to get local user certificate.” I hope this info helps.

@jasonian

I must apologise. Your original post was perfectly clear. For some reason I mis-read your post and “merged” the two situations into one…

Like you, I am wondering if your corporate network uses a proxy / security appliance between the end users and the ouside world using its own internal certificates to act as a “man in the middle”. Your company can then monitor https traffic for malware / security policy compliance etc.

I found a possible explanation online

This error is thrown when the TLS certificate that is used to secure a request has a Root CA that isnt trusted by the verifying program. This happens at many companies due to firewall configuration. They will usually terminate all requests to inspect them, then reencrypt the request with its own CA cert.
Normally, this isnt an issue because the Windows Certificate Store, the collection of CA certificates that windows trust, is controlled by group policy and will have ITs’s certificate installed.
However, many cross platform applications dont use the Windows Certificate Store for some reason. They often will use the library OpenSSL to handle SSL/TLS requests. OpenSSL comes with a list of publicly trusted certificates, and only refers to this list when it verifies a request. This leads to security errors like ‘Unable to get local issuer certificate’ to be thrown and the request to be rejected

(my emphasis)

I will admit that with this kind of network setup I am not just “not in my comfort zone” I’m not even in the same postcode as my “comfort zone”!! There may be another reason that this is happening.

I will therefore leave it to others for suggestions but of course if it is a such a system causing these errors you could be heading for a “serious talking to” if you take actions to circumvent company IT security systems.

Yep, this looks like a transparent DPI kind of thing.This basically tells you that the company reads all your private emails and all other encrypted traffic in clear text. E2EE would solve this problem, but only for Joplin. All your other stuff is still available to the company. e.g. I would certainly not use personal email or online banking in that network.

But if you are aware of the consequences, you could set Ignore TLS certificate errors in Advanced Settings in the Synchronization tab of Preferences....

Good info to know, and a little disturbing. Will instead sync using USB drive, E2EE—and definitely stop doing personal transactions at work. Many thanks.