Transport Layer Security (TLS) ensures data security during communication over a network. In modern browsers, a lock icon next to the address bar usually indicates a connection secured over TLS.
Some companies have restricted environments where some or all external outbound traffic is proxied through specialized equipment that provides visibility into encrypted traffic. In order to do this, the company might install additional CA certificates on each machine in the correct location for your trust store.
By proxying the external traffic using their own TLS certificate, the company is able to decrypt traffic from the machine to their server, then re-encrypt it before handing it off to the external outbound destination (such as the Twilio API). These certificates will also ensure that the lock icon will still be indicated next to the URL in the address bar when using a browser.
If you receive an error message such as Error: unable to get local issuer certificate when using the Twilio CLI, you can take the following steps to resolve the connectivity issue:
- Ensure you have the latest version of the Twilio CLI installed.
- Ask your company's Information Technology (IT) department to provide the CA certificates that are being used and store them in a directory on your hard drive.
- Set the environment variable
TWILIO_CA_BUNDLEto the path of the.pemor.ca-bundlefile that you saved earlier.
If the above steps do not work, we recommend that you work with your company's Information Technology department to add *.twilio.com domains to their allow-list so that TLS traffic to Twilio will not be proxied.
Why doesn't the Twilio CLI use the bundle of trusted CA certificates already installed on my work machine?
The Twilio CLI is built using NodeJS which uses its own list of trusted CA certificates instead of a default trust store.
Summary
If you encounter TLS issues when making Twilio API requests using the CLI, you may need to set an environment variable for your company's CA certificates.