…pre-check (#1572)
Behind a corporate TLS-inspection proxy the Electron installer's network
pre-check failed every host with "unable to get issuer certificate" and
reported "You appear to be offline" — hard-blocking an otherwise-online
machine at the pre-checks stage. Node probes HTTPS with its own bundled
Mozilla CA set, not the OS trust store where the proxy's root CA lives,
so the handshake never succeeded. The failure dialog told users to set
HTTPS_PROXY, but the probe never constructed a proxy agent, so that advice
was a dead end.
The probe now builds its CA bundle from the system trust store
(tls.getCACertificates, Node 22+, version-guarded) and NODE_EXTRA_CA_CERTS,
honors HTTPS_PROXY/HTTP_PROXY via an HTTP CONNECT tunnel, and classifies
cert/TLS failures distinctly from real connectivity loss. The network
pre-check is now advisory: a failed probe logs a warning and proceeds
rather than aborting, since uv/pip surface an accurate error downstream if
the host is genuinely unreachable.
Why this matters
Behind a corporate TLS-inspection proxy, GAIA's first-launch installer dies at pre-checks with "You appear to be offline — unable to get issuer certificate" even though the machine is fully online. The network probe used Node's bundled Mozilla CA set instead of the OS trust store where the proxy's root CA lives, so every HTTPS handshake failed. To make it worse, the failure dialog told users to set
HTTPS_PROXY— but the probe never used a proxy, so that advice did nothing. The result: corporate users can't install GAIA at all.After this change the probe trusts the system / pinned CA store and honors
HTTPS_PROXY, so the common case just works. And because a HEAD probe is only a hint, the network pre-check is now advisory — a failure logs a warning and proceeds, lettinguv/pipsurface an accurate error downstream if the host really is unreachable. A false "offline" can no longer block an otherwise-working install.Closes #1572.
Test plan
cd tests/electron && npm test -- backend-installer— 14 passing, exit 0openssl(no committed key); they skip loudly if openssl is absentbackend-installer-network.test.cjscovers:tls(not offline); DNS/connect asconnectivity; timeouts astimeoutHTTPS_PROXYpreferred overHTTP_PROXYbuildCaBundleincludesNODE_EXTRA_CA_CERTScontent + re-includes the bundled rootstlsfailure without trust; ok withNODE_EXTRA_CA_CERTS(the fix)HTTPS_PROXYis setNote for reviewers
The CA-trust call (
tls.getCACertificates) is Node 22+ and version-guarded (engines: >=18);NODE_EXTRA_CA_CERTSis the always-available baseline. Verified live: this very change was needed to getnpm installto run on the affected machine —NODE_OPTIONS=--use-system-cawas the unblock, confirming the root cause.