WebFetch doesn't respect system certificate trust store in environments with TLS inspection

Resolved 💬 3 comments Opened Nov 10, 2025 by mickray Closed Nov 14, 2025

WebFetch fails to fetch HTTPS URLs in environments with TLS inspection (e.g., Cloudflare WARP, corporate proxies) even when the CA certificate is properly installed in the system trust store.

Environment

  • OS: Linux (Ubuntu/Debian-based)
  • Claude Code version: 2.0.36 (Claude Code)
  • TLS Inspection: Cloudflare WARP

Steps to Reproduce

  1. Use a system with TLS inspection enabled (Cloudflare WARP, Zscaler, etc.)
  2. Install the CA certificate in system trust store:

``bash
sudo cp proxy-cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
``

  1. Verify curl works: curl -I https://www.wikipedia.org ✓ (succeeds)
  2. Attempt to use WebFetch tool in Claude Code
  3. Observe error: self-signed certificate in certificate chain

Expected Behavior

WebFetch should respect the system certificate trust store, just like curl and other system tools do.

Actual Behavior

WebFetch fails with certificate errors, despite the certificate being properly installed and trusted system-wide.

Workaround

Setting the Node.js environment variable resolves the issue:

export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

Impact

  • Affects WebFetch tool functionality
  • Also impacts MCP servers that make HTTPS requests (e.g., Unblocked MCP)
  • Common scenario in enterprise environments with security policies requiring TLS inspection

Suggested Fix

WebFetch should automatically use the system certificate bundle, or Claude Code should set NODE_EXTRA_CA_CERTS to the system cert bundle by default on Linux systems.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗