Bug Summary
When connected to a corporate or enterprise VPN—such as Netskope—all outbound network requests from Local.app fail. No message or error appears in the Local UI, but several SELF_SIGNED_CERT_IN_CHAIN errors can be found in the verbose log (see attached log). Our company has enforced a policy wherein our laptops must always be connected to Netskope, unfortunately, so disconnecting is no longer an option, blocking our team from performing local development with Local.
This is described as a bug because if the correct CA certificate is trusted at the system level, then network requests should be trusted and allowed to connect. Alternatively, because containers running on the host machine have their own CA certificate, the CA certificate should be copied into the running container to support network requests from the container.
For context, Netskope adds a self-signed certificate to the certificate chain. Other tools, like AWS or Node, provide specific environment variables like AWS_CA_BUNDLE, NODE_EXTRA_CA_CERTS, GIT_SSL_CAPATH, and GIT_SSL_CAINFO to set a path to a CA pem file to resolve this issue on the host machine.
Steps to reproduce
1. Open WP Local on a Linux/Unix machine connected to a VPN, inspecting SSL traffic via a MITM-inspection method (Netskope, for example).
2. While connected to the VPN, all outbound traffic is intercepted, and the TLS connection is terminated and then re-established.
3. In Local, navigate to Preferences > Connected accounts to try to connect an account.
4. Try signing in with a valid WPEngine login, or alternatively, with a Flywheel login. Either with create the same SSL error.
5. Observe no errors, messages, or notices in the Local app user interface. Instead, navigate to the Local log location and find the most recent FetchError in the verbose log.
Environment Info
Describe your environment.
- Machine: MacBook Air (Apple M3)
- Operating System (OS): Sequoia 15.7.4 (Build Version 24G517)
- Local: Version 9.2.9+6887
Supporting info
local-lightning-verbose.log (537.5 KB)