Use local SSL trust store

[Clete2]

I am using opencode with a LiteLLM proxy that has a SSL cert signed internally by my corporate organization.

When I try to test it, I get an error message: "UnknownError Error: unable to get local issuer certificate"

When I cURL the LiteLLM proxy URL, it works, because the certificate is signed by a trusted signer. Opencode should use my system truststore.

macOS Sequoia 15.6

(PS I also am having #1154 as an issue, which might be related, I am not sure)

[Clete2]

For now I can work around it with "NODE_TLS_REJECT_UNAUTHORIZED=0"

[thdxr]

does setting NODE_EXTRA_CA_CERTS fix?

[Clete2]

@thdxr yes, but most apps just use system store without having to specify.

~> opencode # error
~> NODE_EXTRA_CA_CERTS=truststore.crt opencode # works

I'm not familiar with what HTTP libraries are being used, but maybe there's one that can use system certs?

For instance, when using npm, I connect to a custom package proxy URL which has a company-signed SSL cert, and I don't have any special configuration that I know of which makes it trust that cert.

Setup is like... Mac -> Zscaler -> GitHub Copilot. SSL decrypt enabled, so the destination appears to have a company-signed certifiate.

[thdxr]

this isn't something bun or node seems to do automatically. need to see if we can load it somehow

[james-gour]

I am also getting this! This will need to be fixed for many corporate settings :)

[maxious]

NODE_OPTIONS="--use-system-ca" or BUN_OPTIONS="--use-system-ca" should allow use of local corporate proxy certificates stored in the system security store. https://nodejs.org/docs/v23.8.0/api/cli.html#--use-system-ca

This option was added to node in v22/23 this year which sadly means some LLMs with 2024 knowledge still think it's impossible 😂

[davidw-philips]

Same issue here, deep wiki failing over http due to corporate proxy,, can't set in ENV variables without allowing insecure TLS.