how to import proxy server certificates into CLI and OS?

my balenaOS image fails to connect to the cloud, same for CLI balena login.

balena login -debug gives:

FetchError: request to failed, reason: unable to get local issuer certificate
    at ClientRequest.<anonymous> (C:\MEINS\TOOLS\balena-cli\client\node_modules\node-fetch\lib\index.js:1461:11)
    at ClientRequest.emit (events.js:326:22)
    at ClientRequest.EventEmitter.emit (domain.js:483:12)
    at TLSSocket.socketErrorListener (_http_client.js:427:9)
    at TLSSocket.emit (events.js:314:20)
    at TLSSocket.EventEmitter.emit (domain.js:483:12)
    at emitErrorNT (internal/streams/destroy.js:92:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)

I assume that is due to ZScaler proxy. I have its certificates but how get them into the OS and CLI?

by the way, can I work 100% locally on production using SSH as the manual says I need a dev image?


you shouldn’t need to install the certificate twice. It should be sufficient to install them into the OS, e.g. like this: How to install Windows 10/11 root certificates [EASY STEPS]

I’m not sure what you mean with “work 100% locally”. You can connect to a production image via ssh via two ways:

  • as root (ssh -p 22222 root@your-device-ip) IF you have set a custom SSH key as part of provisioning
  • as your balena user (e.g. ssh -p 22222 martin20@your-device-ip)

What you cannot do with a production image, is push code from your machine (i.e. balena push device-ip-address)

Hope that helps.


If you meant your device and balenaOS, then this is where you need to place your certificate: Configuration - Balena Documentation

meant from my local machine where the VM runs into BalenaOS on the VM.
I think that is answered by your reply

so that would mean

  "hostname": "my-custom-hostname",
  "persistentLogging": true,
   "balenaRootCA":  "-----BEGIN CERTIFICATE-----MIIE0zCCA7......hFjE0xd-----END CERTIFICATE-----"
   "os": {

without line breaks?

how do I achieve the same for balena CLI Documentation - Balena Documentation?


I understand you have the certificate in PEM format (-----BEGIN CERTIFICATE-----\nMIIE0zCCA7......hFjE0xd\n-----END CERTIFICATE-----), stored in a file say cert.pem.

  • For config.json you need to take the contents of the PEM file and base64-encode them using e.g. base64 -w0 < cert.pem then use the output for balenaRootCA in the config.json file.
  • For balena CLI, you need to populate the NODE_EXTRA_CA_CERTS variable, you can either prepend each command (e.g. NODE_EXTRA_CA_CERTS=cert.pem balena login) or do export NODE_EXTRA_CA_CERTS=cert.pem once at the very beginning and then use balena CLI as usual.

as I’m on Windows, so that means:

Windows: set NODE_EXTRA_CA_CERTS=C:\path\to\your\ca.pem
Use the UI to set a environment variable to make it more permanent.
Note ca.pem should be just your CA.

source: Error: self signed certificate in certificate chain · Issue #87 · jasongin/nvs (

but make sure don’t to use “…”, so
don’t: \balena-cli\bin>set NODE_EXTRA_CA_CERTS="C:\Users\...\Zscaler Root CA.cer"
do: \balena-cli\bin>set NODE_EXTRA_CA_CERTS=C:\Users\...\Zscaler Root CA.cer

will check later, reading Zowe CLI: Providing NODE_EXTRA_CA_CERTS | by Dan Kelosky | Zowe | Medium as well.

How to deal, when multiple certificates are supposed to be used

   "balenaRootCA": "<base64encodedPEMfile_1>","<base64encodedPEMfile_2>" ,... 


You can merge the certificates into a single PEM file, it would then look something like


Using such file will work with both config.json and CLI.

1 Like