devActivitydevActivity Logo

Resolving Intermittent Copilot Certificate Errors in Eclipse: A Community Insight on GitHub Tracking Challenges

A developer encountering a certificate error while using GitHub Copilot in Eclipse, with network traffic passing through a ZScaler proxy.
A developer encountering a certificate error while using GitHub Copilot in Eclipse, with network traffic passing through a ZScaler proxy.

Intermittent GitHub Copilot Certificate Errors in Eclipse: A Deep Dive into Corporate Network Challenges

In today's fast-paced development environments, AI-powered coding assistants like GitHub Copilot are crucial for enhancing developer productivity. However, integrating these tools into complex corporate network infrastructures can present unique challenges. A recent discussion on GitHub Community highlights a persistent issue: intermittent certificate errors when using GitHub Copilot in Eclipse, particularly in environments leveraging ZScaler.

The Problem: 'Unable to Get Local Issuer Certificate'

User code-the-pizza reported that GitHub Copilot (version 0.14.0) in Eclipse (version 2025-09) initially functions correctly but eventually fails with a certificate error. The specific error message observed is: The pending stream has been canceled (caused by: unable to get local issuer certificate).

This issue is particularly vexing because it's intermittent. Temporary workarounds include:

  • Changing Copilot configuration (e.g., SSL strictness).
  • Disabling ZScaler (not a viable long-term solution due to corporate policy).
  • Restarting Eclipse.

Each of these actions restores functionality for a period, only for the error to resurface. This pattern suggests a caching, session, or dynamic certificate validation problem rather than a static misconfiguration.

Corporate Network Context: ZScaler and Trust Stores

The developer operates within a corporate network where ZScaler is enabled. Despite this, they had already taken steps to address certificate issues by loading the necessary ZScaler certificates into the JDK's trust store, which Eclipse uses. Evidence for this includes other Eclipse functionalities, like software updates, working without issue even when Copilot fails. The keytool -list -cacerts output confirmed the ZScaler certificate's presence:

C:\Users\...\AppData\Local\Programs\EclipseAdoptium\jdk-25.0.1.8-hotspot\bin>keytool -list -cacerts
…
zscaler, 14 Jan 2026, trustedCertEntry, Certificate fingerprint (SHA-256): B5:CA:18:B6:68:D1:D8:5B:51:E9:64:EE:06:40:7B:0D:88:E4:8D:F6:DA:AB:D5:9E:93:F5:B7:4C:29:22:99:97

Even installing a second ZScaler certificate with a different expiry date made no difference, underscoring the complexity of the problem.

Unpacking the Error Logs

Detailed logs from Eclipse's .metadata directory reveal the underlying technical issue:

!ENTRY org.eclipse.lsp4e 4 0 2026-01-21 10:21:36.433
!MESSAGE [Error] [agenticTurnProcessor] Error in processing turn a0fd51ae-be20-416e-8ad9-677651ed2b05
FetchError: The pending stream has been canceled (caused by: unable to get local issuer certificate)
at fetch (C:\snapshot\copilot-client
ode_modules\@adobe\helix-fetch\src\fetch\index.js:99:11)
...
{ type: 'system', _name: 'FetchError', code: 'ERR_HTTP2_STREAM_CANCEL', errno: undefined, erroredSysCall: undefined }

These logs point to a FetchError with code ERR_HTTP2_STREAM_CANCEL, originating from Copilot's internal client (likely a Node.js-based component, given helix-fetch). The crucial part is that this client, despite the JDK's trust store being correctly configured, struggles with certificate validation over time. This suggests that the Copilot client might not be consistently utilizing the system's or JDK's trust store, or there's a dynamic aspect of ZScaler's SSL interception that it fails to handle after initial requests.

Disabling 'Enable Strict SSL' in Copilot preferences temporarily resolves the issue, further indicating a certificate validation problem, though this is not a secure long-term solution. This scenario highlights a common friction point in github tracking and integrating AI tools into enterprise security postures.

Community Call for Solutions

This discussion echoes similar issues found in the GitHub community (e.g., Discussion #168095). The intermittent nature and the specific error message suggest a need for more robust certificate handling within the Copilot client, especially when operating behind corporate proxies like ZScaler.

We encourage developers experiencing similar challenges to share their insights and potential workarounds. Understanding how various enterprise network configurations interact with AI development tools is vital for improving developer analytics and ensuring seamless integration of these powerful assistants.

Detailed analysis of log files showing a certificate error, symbolizing troubleshooting a complex network issue.
Detailed analysis of log files showing a certificate error, symbolizing troubleshooting a complex network issue.