docs: document the Windows Schannel revocation caveat

limon4ello · limon4ello · commit f1474c0b3f09 · 2026-05-16T03:04:08.000+02:00
diff --git a/README.md b/README.md
@@ -186,6 +186,21 @@ with a built-in one overrides it.
 Supported `client_hello` templates: `chrome`, `firefox`, `safari`,
 `safari-ios`, `edge`, `randomized`.
 
+## Troubleshooting
+
+**curl on Windows fails with a certificate error.** A curl built against
+Schannel runs CRL/OCSP revocation checks that a private CA cannot satisfy.
+Pass `--ssl-no-revoke`. Clients built on OpenSSL (most Python and CLI
+tooling), BoringSSL (Node.js) or Go are unaffected.
+
+**`doppel verify` reports an HTTP/2 fingerprint that is not the profile's.**
+Expected: the upstream HTTP/2 layer is not yet fingerprint-controlled. The
+TLS (JA3/JA4) fingerprint *is* the profile's. See the [Roadmap](#roadmap).
+
+**A site still blocks the request.** Doppel changes the transport fingerprint
+only. If the site serves a JavaScript challenge or scores your egress IP, no
+TLS profile will help — see [What it does](#what-it-does--and-does-not--do).
+
 ## Architecture
 
 ```
diff --git a/internal/wizard/wizard.go b/internal/wizard/wizard.go
@@ -28,6 +28,9 @@ func InstallGuide(certPath, fingerprint, proxyAddr string) string {
 
 	fmt.Fprintln(&b, "1. Trust the CA in the OS store")
 	fmt.Fprintln(&b, osTrustCommand(certPath))
+	if note := osTrustNote(); note != "" {
+		fmt.Fprintln(&b, note)
+	}
 	fmt.Fprintln(&b)
 
 	fmt.Fprintln(&b, "2. Trust the CA in language runtimes (they ignore the OS store)")
@@ -48,6 +51,17 @@ func InstallGuide(certPath, fingerprint, proxyAddr string) string {
 	return b.String()
 }
 
+// osTrustNote returns a platform-specific caveat shown beneath the trust
+// command, or an empty string when there is nothing to add.
+func osTrustNote() string {
+	if runtime.GOOS == "windows" {
+		return "   Note: tools using Windows Schannel (curl, .NET) reject a private\n" +
+			"   CA during revocation checks. Disable revocation for them,\n" +
+			"   for example: curl --ssl-no-revoke. OpenSSL-based tools are fine."
+	}
+	return ""
+}
+
 // osTrustCommand returns the platform-specific command that adds the CA to
 // the system trust store.
 func osTrustCommand(certPath string) string {
