PybesCorporate networks
Pybes is designed to work inside corporate networks that use proxies, SSL inspection, or URL filtering. If update checks or other outbound calls fail, share this page with your IT team.
Domains Pybes communicates with (for allow-lists)
Pybes itself only reaches the hosts listed below. Anything a Python script does is up to the script and is not listed here.
| Purpose | Host | Port | Protocol |
|---|---|---|---|
Update metadata (latest.json) | pybes-update.reiridge.com | 443 | HTTPS |
| Fallback distribution / website | pybes.reiridge.com | 443 | HTTPS |
| Installer / update binary | URL returned inside latest.json (Cloudflare R2 custom domain or *.r2.dev) | 443 | HTTPS |
Common failures and fixes
TLS certificate verification failure (most common)
Symptom: Pybes reports “Certificate verification failed” during update checks. A browser shows an “untrusted” warning but lets you proceed if you click through.
Cause: Your network uses SSL inspection (Zscaler, Netskope, Palo Alto, GlobalProtect, Blue Coat, Forcepoint, Symantec ProxySG, etc.), which decrypts and re-encrypts traffic at a middle-box. Unlike a browser, Pybes cannot “proceed despite the warning” — a failed verification is a hard error.
Fix: Any of these works:
- Recommended: Distribute your organization’s root CA certificate to the Trusted Root Certification Authorities store on endpoints (typically pushed via Active Directory GPO). Verify with
certmgr.msc→ Trusted Root Certification Authorities → Certificates. - Add the domains listed under Domains Pybes communicates with to your SSL-inspection exclusion list.
- If neither is easy, use manual download instead.
Proxy returns 403 / 407 / URL-category block
Symptom: “Access to the update server is blocked.”
Cause: A proxy (Zscaler, Forcepoint, etc.) blocks uncategorized domains by default, or the category filter caught the request.
Fix: Add the domains above to your proxy’s allow-list.
Proxy authentication fails
Symptom: Authentication errors at the proxy.
What we support: Pybes supports Windows integrated authentication (NTLM / Negotiate / Kerberos) via WinHttpGetProxyForUrl with automatic logon (fAutoLogonIfChallenged).
Not supported: Basic-auth-only proxies are not supported. Use manual download in that case.
PAC works but the app gets blocked
PAC (automatic proxy configuration) is supported. But the proxy behind PAC may still run SSL inspection, which triggers the TLS certificate verification failure above. Most “PAC works but the app fails” reports turn out to be this.
Our security implementation
To help with your security review, here’s how Pybes handles network and update security.
| Item | Implementation |
|---|---|
| TLS backend | native-tls (uses OS certificate store via Windows Schannel) |
| Custom CA bundle | None — only the OS trust store is used |
| Certificate verification opt-out | None (danger_accept_invalid_certs is never used) |
| Update signature verification | Mandatory minisign (Ed25519) signature check. Public key bundled with the app |
| Proxy resolution | WinHttpGetProxyForUrl (PAC, WPAD, and static proxy all supported) |
| Proxy authentication | Windows integrated auth (NTLM / Negotiate / Kerberos) auto-logon |
| Distribution file verification | Minisign signature check plus Windows SmartScreen / Defender inspection |
Manual download as a workaround
If none of the fixes above are practical, download Pybes manually:
- In a browser, open
https://pybes.reiridge.com/download - Download the latest installer
- Run it to install or update
Browsers let a human user confirm certificate warnings, so this path works even when in-app auto-update fails.
Contact
Still stuck? Reach out via the contact form.