for those trying to listen to music at work and wondering why plexamp is not able to make API calls with a MITM DLP tool (like zscaler)
$bundle = 'C:\Users\<YOUR_USER>\AppData\Local\Programs\Plexamp\resources\cacert.pem'
#Count certs before
Select-String -Pattern 'BEGIN CERTIFICATE', 'END CERTIFICATE' -Path $bundle | Measure-Object
#Backup your cert bundle
Copy-Item $bundle "$bundle.bak" -Force
#Append your corporate cert
Get-Content C:\temp\zscaler.pem | Add-Content $bundle
#Verify the merge
Select-String -Pattern 'BEGIN CERTIFICATE', 'END CERTIFICATE' -Path $bundle | Measure-Object
It would be great if I did not need to do this, some googling came up with the following suggestions
- rebuild libcurl with --with-winssl (Schannel) instead of openssl && remove the embedded cacert.pem for windows builds
- Dynamically load system CAs via npm modules like win-ca/mac-ca/nss-certs. In the main electron entry point initialize the helper before any networking code, and then remove cacert.pem again
require('win-ca')({ format: 'pem' }); // on Windows
require('mac-ca')({ format: 'pem' }); // on macOS
require('nss-certs')(); // on Linux
- Build a -flag advanced security preference setting to allow specifying a corporate CA and then append to the verification context at startup.
Finally if your company also blocks general non 443 https traffic, setting up nginx/apache, make sure your custom access URL settings include port 443
server settings settings->networking->custom access URLs->https://plex.mydomain.com:443
Otherwise plex clients will try to use https://plex.mydomain.com:32400
