HTTP/2 protocol downgrade
Symptoms: CLI failures, connection timeouts, protocol errors Cause: Zscaler downgrades HTTP/2 to HTTP/1.1 for SSL-inspected traffic. Fix: Contact your Zscaler admin to enable HTTP/2 for SSL-inspected traffic underAdministration > Advanced Settings. See Zscaler docs.
SSL certificate verification failures
Symptoms: VS Code can’t connect, “certificate verify failed”, untrusted certificate warnings Cause: Zscaler intercepts HTTPS and presents its own certificates. Apps with custom cert stores may not trust them. Check if Zscaler is intercepting:app.gitpod.io to SSL inspection bypass list.
Alternative for VS Code: Enable “System certificates” in VS Code settings (requires v1.97+). If issues persist, also enable “Electron Fetch” and “System Certificates V2”.
Runner connection issues
Symptoms: Runner can’t connect, OAuth failures, “connection refused” errors Cause: Zscaler blocking IP ranges, OAuth callbacks, or runner-gateway protocols. Fix:- Whitelist Ona’s static IP ranges (see access requirements)
- Ensure WebSocket and gRPC traffic is allowed
- Workaround: Use Personal Access Tokens instead of OAuth while configuring
Configuration checklist
Work with your network team to configure: SSL inspection:- Add
app.gitpod.ioto bypass list - Verify cert issuer shows “Amazon” not “Zscaler”
- Enable HTTP/2 for SSL-inspected traffic in Advanced Settings
- Whitelist Ona IP ranges
- Allow WebSocket and gRPC traffic
Verify configuration
Getting help
Collect and share with support:- Output from
curl -I -v https://app.gitpod.io - VS Code / Ona extension logs
- Network configuration details