# Unable to get local issuer certificate: company firewall

Joplin version: 2.5.12
OS: MacOS 12.1

I receive a networking error when trying to "Check for updates" and when synchronizing with an AWS S3 bucket. When checking for updates, the message received states (in a pop-up) "request to failed, reason: unable to get local issuer certificate". And the S3 Synchronization error states "Last error: NetworkingError: unable to get local issuer certificate". I've seen two related issues on this forum, but neither have posted solutions for company firewalls or S3. I'm confident this is a company firewall issue (I'm on a company machine which requires zscalar), but I'm curious to know if I can change a setting to "Ignore TLS certificate errors" like I've seen suggested when syncing on the desktop client to Nextcloud.

Any suggestions for getting past or ignoring these TLS issues? I'm using the notebook for company training and work notes so I'm comfortable with providing read-access to my company firewall (if that is what ignoring the TLS certificate required would cause).

Thanks!

I've upgraded the Joplin version to Joplin 2.6.9 and see the same error when checking for updates and checking the synchronization configuration.

A similar issue as this one appeared when I started using the AWS CLI, but I resolved that problem by exporting my local certificates to a ".pem" file and referencing the file to the AWS CLI with the command export AWS_CA_BUNDLE=/etc/ssl/certs/Certificates.pem. Any way I could reference this same file with the Joplin client?

Resolved the issue.

So it's a little hacky, but I was able to resolve the errors by using the "Ignore TLS certificate errors" setting in the Synchronization -> Nextcloud -> Show Advanced Settings window which sets a global variable of sorts. Even after switching from Nextcloud to S3, it appears the setting is still persistent. The settings.json file now includes the line "net.ignoreTlsErrors": true. I suppose this file could be manually edited for users who wanted to change the setting that way.

Perhaps this setting should be made more visible for users. Also, for security reasons, users should know when the setting is in place even after selecting a different synchronization type (the menu disappears when selecting S3 or other synchronization types but the Nextcloud "Ignore TLS certificate errors" value persists).

Cheers.

2 Likes

2 Likes

Assuming MacOS has the same options as Windows/Linux, the Advanced Sync Settings has an option to add a path to a local cert (pem) file. Is that what you are looking for?

EDIT:

Apologies. Missed the fact that the certificate options only appear depending on the sync target selected.

However as the setting "net.ignoreTlsErrors": true is retained in settings.json could manually adding "net.customCertificates": "C:\\path\\to\\SSL\\certificates", also work for any sync target?

This sounds more like a bug, this was supposed to only be used for WebDAV. Maybe Joplin Cloud too.
I guess it makes sense to expose it for AWS - after all you can self-host minio.

This is true. It will solve issues with self-signed certs.

However, it will not solve the OP's problem that the company is messing with TLS traffic.

Sure, I never suggested it would.

To be fair, I don't see it as a problem, I have the same situation at my job. I simply don't use my work computer for anything personal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.