Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From node-cert
Fix Node.js certificate trust issues behind corporate SSL-inspecting proxies. Use when discussing: VPN, corporate VPN, corporate proxy, SSL inspection, MITM proxy, TLS interception, NODE_EXTRA_CA_CERTS, self-signed certificate error, UNABLE_TO_VERIFY_LEAF_SIGNATURE, certificate chain, proxy CA, corporate network, Claude Code on VPN, Gemini CLI on VPN, npm behind proxy, Node.js certificate error, CAFile.pem, proxy-on, proxy-off, HTTPS_PROXY, HTTP_PROXY, openssl s_client, certificate extraction, corporate root CA, forward trust CA, trust store gap.
npx claudepluginhub nathanvale/side-quest-marketplace --plugin node-certHow this skill is triggered — by the user, by Claude, or both
Slash command
/node-cert:node-certThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Fix certificate errors when Node.js tools run behind corporate SSL-inspecting proxies (Zscaler, Palo Alto, Cisco Umbrella, etc.).
Manages SSL/TLS certificates: checks expiry dates, automates renewals, lists installed certs, and diagnoses chain issues using ssl-certificate-manager plugin.
Deploys production Xray-core Trojan proxy nodes via SSH with server probing for OS/CPU/memory/ports/firewall, TLS cert pinning, and TunPilot registration.
Manage digital certificates for HTTPS, mutual TLS, code signing, and infrastructure security.
Share bugs, ideas, or general feedback.
Fix certificate errors when Node.js tools run behind corporate SSL-inspecting proxies (Zscaler, Palo Alto, Cisco Umbrella, etc.).
Corporate proxies perform SSL/TLS inspection by:
Node.js uses its own bundled CA store, not the system trust store. When a corporate proxy re-signs certificates, Node.js sees an untrusted issuer and fails with errors like:
UNABLE_TO_VERIFY_LEAF_SIGNATURESELF_SIGNED_CERT_IN_CHAINunable to get local issuer certificatecertificate has expired (even for valid certs)The fix: Extract the corporate root CA and tell Node.js to trust it via NODE_EXTRA_CA_CERTS.
| Action | What It Does |
|---|---|
| Diagnose | Full connectivity check (VPN, DNS, SSL, env vars, CA file, Node.js test) |
| Extract cert | Get corporate root CA from live TLS chain using openssl |
| Verify config | Check env vars and CA file are correctly configured |
| Smoke test | Test actual Node.js HTTPS connectivity |
| Cert info | Display certificate details (subject, issuer, expiry) |
| Proxy env | Output export statements for shell configuration |
| Toggle setup | Generate proxy-on/off/status functions for rc file |
| Check inspection | Detect if SSL inspection is currently active |
| Cert bundle | Combine system certs + corporate CA into one bundle |
| Export fix | Generate portable script for teammates |
| Topic | Reference |
|---|---|
| Why Node.js fails (deep dive) | root-cause.md |
| Certificate extraction procedure | cert-extraction.md |
| Proxy environment variables | proxy-env-vars.md |
| Tool-specific fixes | tool-specific-fixes.md |
| macOS/Linux/Windows specifics | platform-guide.md |
| Error messages and decision tree | troubleshooting.md |
| Certificate rotation and bundling | ca-bundle-management.md |
When a user reports certificate errors:
/node-cert:diagnose or the diagnose scriptIf SSL inspection is detected:
/node-cert:extract-cert or scripts/extract-cert.shSet up the environment variables:
/node-cert:proxy-toggle-setup.zshrc, .bashrc, or .bash_profileVerify everything works:
/node-cert:smoke-testPortable scripts in scripts/ that work without the plugin:
| Script | Purpose |
|---|---|
diagnose.sh | Full diagnostic sweep |
extract-cert.sh | Extract corporate root CA |
smoke-test.sh | Test Node.js HTTPS connectivity |
cert-info.sh | Display certificate details |
Run with: bash scripts/<script>.sh
User: I'm getting "UNABLE_TO_VERIFY_LEAF_SIGNATURE" when running Claude Code on my corporate VPN
Skill: This error means Node.js doesn't trust the certificate it received. Corporate proxies
often re-sign TLS traffic with their own CA, which Node.js doesn't know about.
Let me check if SSL inspection is active and extract your corporate certificate.
[Runs /node-cert:diagnose]
I can see Zscaler is intercepting your traffic. The certificate chain shows:
- api.anthropic.com
- YourCompany Forward Trust CA (intermediate)
- YourCompany Root CA (root - this is what we need)
I'll extract the root CA now...
[Runs /node-cert:extract-cert]
Done! The certificate was saved to ~/CAFile.pem. Now configure your environment:
export NODE_EXTRA_CA_CERTS=~/CAFile.pem
To make this permanent and toggleable, I can generate shell functions for your rc file.
Want me to run /node-cert:proxy-toggle-setup?
User: My colleague is having the same VPN cert issues. Can I give them a script?
Skill: Yes! I'll generate a portable fix script they can run.
[Runs /node-cert:export-fix]
Created: ~/fix-corporate-cert.sh
This script:
1. Extracts the corporate root CA from the live TLS chain
2. Saves it to ~/CAFile.pem
3. Outputs the export statement to add to their shell
They can run it with: bash fix-corporate-cert.sh
No dependencies required beyond openssl (comes with macOS/Linux).
User: The VPN cert fix was working yesterday, but now Claude Code is failing again
Skill: This often happens when the corporate CA rotates. Let me check...
[Runs /node-cert:cert-info ~/CAFile.pem]
Your current CA file shows:
- Subject: YourCompany Root CA
- Expires: 2024-03-15 (EXPIRED!)
The corporate CA has rotated. I'll extract the new one:
[Runs /node-cert:extract-cert]
New certificate saved. It expires 2026-01-15. Claude Code should work now.
Tip: Some companies rotate certs quarterly. If this happens often, consider
adding a weekly cron job to re-extract the cert.
This skill can use:
Read - to read reference filesBash - to run diagnostic and extraction scriptsWrite - to generate shell config and export scriptsWebSearch - to research tool-specific certificate configurations