Security Protocol Refusal
Your corporate firewall is attempting to decrypt your SSL traffic (SSL Inspection). To protect your data, the agent refuses this connection by default.
Option 1: Insecure Mode
If you trust your network and need to proceed immediately, you can bypass certificate verification using a CLI flag.
pocket-agent start --insecureSecurity Risk: This disables all TLS verification. Your data may be visible to your network administrators. Use this only as a temporary measure.
Option 2: Trust Root CA
The secure way to fix this is to provide the agent with your corporate Root CA certificate so it can verify the intercepted connection.
Export CA
Export your corporate Root CA from your browser or extract it directly using the command line.
Manual Browser Method
- Open api.pocketdevai.com in your browser.
- Click the Lock icon next to the URL.
- Select Connection is secure > Certificate is valid.
- Windows: Go to Details > Copy to File > select Base-64 encoded X.509 (.CER).
- Linux: Go to Details > Export > select Base64-encoded ASCII, single certificate.
- macOS: Click the large certificate icon and drag it to your desktop.
Alternatively, use OpenSSL to capture the intercepting certificate directly from the connection handshake:
openssl s_client -showcerts -connect api.pocketdevai.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ~/corporate-ca.pemSet Path
Set the POCKETDEV_CA_CERT environment variable to point to your file.
export POCKETDEV_CA_CERT=~/corporate-ca.pem$env:POCKETDEV_CA_CERT="$HOME\corporate-ca.pem"Still blocked?
If you've configured the certificate and still see security warnings, your corporate proxy may require additional authentication.