[Feature Request] Automatically Inherit Windows/macOS System Certificates for Node-based Language Servers #43369
richardgedwards
started this conversation in
Feature Ideas / Enhancements
Replies: 1 comment
-
|
Same environment setup and issue here. I tried your (and other) workarounds to no avail. Unfortunately I'll have to stick to VS Code for the time being. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description: Zed fails to function correctly in enterprise environments that use SSL Inspection (e.g., Zscaler, Palo Alto Networks, Netskope). While Zed's core (Rust) and Rust-based tools (like Ruff) respect the OS Certificate Store, any tool relying on the bundled Node.js runtime (e.g., basedpyright, typescript-language-server, json-language-server) fails with SSL errors.
The Problem (The "Split Brain" Trust Issue): VS Code handles this transparently because Electron uses the Chromium network stack, which inherits the OS trust store. Zed spawns a sandboxed Node.js instance for many LSPs. By default, Node.js uses its own hardcoded "Mozilla Bundle" and ignores the Windows CAPI or macOS Keychain.
As a result, corporate developers face this error immediately upon opening a file:
npm error code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm error request to https://registry.npmjs.org/basedpyright failed, reason: unable to get local issuer certificate
Steps to Reproduce:
Launch Zed in a corporate network environment utilizing "Break and Inspect" SSL proxies (where the Root CA is pushed via Group Policy to the Windows System Store).
Open a Python, JSON, or TS file.
Observe Zed attempting to download the language server via npm.
Result: Download fails due to untrusted issuer.
Current Workaround: Users must manually export their corporate Root CA chain to a PEM file and set a global environment variable NODE_EXTRA_CA_CERTS. This is brittle, manual, and creates friction for adoption in enterprise settings compared to VS Code.
Proposed Solution: Since Zed manages the lifecycle of the Node runtime, it could bridge this gap:
On Startup: Zed (Rust) queries the host OS certificate store (Windows CAPI / macOS Keychain) for trusted Root CAs.
Conversion: Convert these certs to a PEM-formatted bundle in memory or to a temporary file.
Injection: When spawning the node child process for an LSP, inject the path to this bundle via the NODE_EXTRA_CA_CERTS environment variable.
This would provide a "Zero Config" experience for enterprise users, matching the behavior of VS Code and browsers.
Environment:
OS: Windows 10/11 (Enterprise) / macOS
Zed Version: [Zed 0.213.3 b17c089]
Network: Corporate SSL Proxy (Zscaler/ProxySG)
Beta Was this translation helpful? Give feedback.
All reactions