[BUG] Claude Cowork — "Self-signed certificate detected" on macOS with no proxy
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Cowork consistently shows "API Error: Unable to connect to API: Self-signed certificate detected. Check your proxy or corporate SSL certificates." I am on a personal Comcast connection with no corporate proxy, VPN, antivirus, or SSL inspection of any kind.
The Claude Code CLI (v2.1.37) works fine after setting NODE_EXTRA_CA_CERTS and NODE_OPTIONS="--use-openssl-ca" in .zshrc. However, Cowork (launched from the Claude desktop app) does not respect these environment variables.
This appears related to #20194 — the native build using Bun doesn't load macOS system certificates.
Environment
Claude Code version: 2.1.37
OS: macOS (Darwin 25.3.0, Apple Silicon)
Network: Home Comcast — no proxy, no VPN, no SSL inspection
Plan: Claude Max
Steps to reproduce
Open Claude app
Select "Cowork"
Error appears immediately
What Should Happen?
Expected behavior
Cowork should connect to the API without certificate errors on a clean home network.
Error Messages/Logs
API Error: Unable to connect to API: Self-signed certificate detected. Check your proxy or corporate SSL certificates
Steps to Reproduce
Steps to reproduce
Open Claude app
Select "Cowork"
Error appears immediately
Claude Model
Not sure / Multiple models
Is this a regression?
Yes, this worked in a previous version
Last Working Version
Based on the bug report, the last working version was v2.1.16. The SSL certificate issue was introduced in v2.1.17, which is when Claude Code switched from the npm/Node.js build to the native installer using the Bun runtime. You're currently on v2.1.37, so you're well past the version where it broke. Unfortunately, downgrading to v2.1.16 at this point would mean losing a lot of features and updates.
Claude Code Version
2.1.37
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
30 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
what now guys, am consistently facing this issue - wasting time that max was subscribed for
same
@saadinxs @mateenmotavaf @chrisjarviscan Try installing this extension in VSCode. I guess that's the fastest way to fix this.
<img width="974" height="482" alt="Image" src="https://github.com/user-attachments/assets/b6e21ce4-098f-4cd7-a71d-e2d66bdf5e14" />
Then hit Settings
<img width="683" height="536" alt="Image" src="https://github.com/user-attachments/assets/09d0740b-6f6b-46fc-a550-3e3541210a6e" />
Set it up like this
<img width="515" height="237" alt="Image" src="https://github.com/user-attachments/assets/ad10e24c-c4b0-43ea-94a0-3d724ba4b1df" />
And it solved my issue with certs
thanks! they updated the app and it seems to be working again, if it crashes will come back to this
You could file this as a comment on #24470 with the specific log line:
This is entirely on Anthropic to fix — they need to include coreutils (or at least wc) in the VM image. Found a workaround, posting below.
Workaround:
Experiencing Similar Issue: Claude Code Cloud + Google Docs API
Environment: Claude Code on the web (Cloud)
Error:
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failedContext: Calls to
googleapis.com(domain explicitly whitelisted in "Limited"/Trusted network mode)The Problem
Same pattern as described here: when using Python libraries that enforce strict SSL certificate validation (e.g.,
google-api-python-client,requests,urllib3), requests fail at the TLS handshake stage.Key observations:
*.googleapis.com)Confirms Bun Runtime Issue
This strongly confirms the root cause is the Bun native runtime (v2.1.17+) not using the system certificate chain properly. The Bun binary likely has a hardcoded or incomplete certificate bundle that doesn't trust Anthropic's proxy certificates.
Attempted Workarounds (All Failed)
Affected Libraries
Any Python library that validates SSL certificates:
google-api-python-client(confirmed)requestshttpxurllib3Why This is Critical
Google Docs API, AWS SDK, Azure SDK, and other cloud APIs all rely on proper SSL validation. The current Bun runtime breaks all of them in Claude Code Cloud, limiting functionality to basic network calls only.
Proposed Solution
Same as in #20194: Anthropic should either:
NODE_EXTRA_CA_CERTSand system certificate chainsThis is blocking production use of Claude Code Cloud for any integration with external APIs.
---
Thanks for tracking this. Looking forward to a fix in the next release.
Same issue here. Using Claude Desktop app (Code tab) behind ZScaler corporate proxy. Terminal Claude Code works fine with NODE_EXTRA_CA_CERTS, but the desktop app's Code tab ignores it. Only NODE_TLS_REJECT_UNAUTHORIZED=0 makes it work, which is not ideal for security. Please support NODE_EXTRA_CA_CERTS in the Bun runtime for the desktop app.
Users at our company are also experiencing the same issue.
Unfortunately, I don't think this is something that can be fixed in this repository, it needs to be fixed in the Claude Desktop App itself which is not open source. Based on my testing, below is a summary of the root cause of the issue in case it is helpful to the team at Anthropic that works on the Desktop App. I'm also happy to share my findings more directly with them if there is a more appropriate place to do so.
Root cause identified via source analysis:
The Electron app explicitly constructs the claude-code subprocess environment in mft() starting with {...process.env}. However, empirical testing shows
NODE_EXTRA_CA_CERTSdoes not propagate to the subprocess even when correctly set vialaunchctl setenvand confirmed present in the Electron process environment viaps ewww. This is likely becausemft()executes in a sandboxed renderer process whereprocess.envis a reduced set. The env block insettings.jsonalso fails because it is applied after Node.js TLS initializes. The minimal code fix would be to explicitly forwardNODE_EXTRA_CA_CERTSinske()ormft()by reading it from the main process environment via IPC.Hey folks, self signed certificates are supported in Cowork if they are in your systems root CA trust store. For people using zscaler this _should_ be the case. Basically when we start Coworks environment we copy the trusted CA certificates from your host (macOS or Windows) into the environment and add them to the trust store.
If you have your CA cert installed and trusted in Keychain on macOS and this issue is still happening, please make sure you've sent feedback and tag me below. I'll take a look. My current instinct is this is working as intended unless there's an issue with our CA trust copying logic.
As for the issue @morenoceler noted, yeah we've seen that in logs too but
coreutilsis in the VM image and we're not sure how it disappeared for some users 😓 Reinstalling the VM image seems to fix it and we're tracking it to make sure it's not an ongoing issue (it seems to be going away)I'm getting this with GLobalProtect VPN on.
Unable to connect to API: Self-signed certificate detected. Check your proxy or corporate SSL certificates.The certificate is in the system store and is trusted
@pandeytanmay Can you confirm your Claude Desktop version and that you've sent feedback with logs? (Include this github issue url in your feedback so I can find it easier)
For what it's worth, I'm running Claude Desktop Version 1.0.1768 (67d013) on Windows and have the exact same experience on my corporate laptop with GlobalProtect VPN on. Within the Code tab within Claude desktop, I just get the API connection error related to SSL. The certificates are in the system store. The Claude Code CLI and the Claude Code for VSCode extension work with the NODE_EXTRA_CA_CERTS environment variable, but this is not picked up by Claude Desktop. Incidentally, if I turn the VPN off, it works, but that is not ideal.
NODE_EXTRA_CA_CERTSis not the way to configure this for desktop applications, ensure your CA is installed as a trust root on your machine. Claude Desktop and Cowork both use the trust roots on your machine including custom ones so if you install a custom CA and trust it properly in windows it should Just WorkThanks @MarshallOfSound. Agreed that Claude Desktop should respect the trust roots as that is typically the behavior for GUI applications. I can't comment on our Windows users setup but I am on Mac and can confirm the custom cert is trusted in the MacOS keychain.
To be clear, my issue was Claude Code specifically was not working in Claude Desktop, Cowork and Chat worked fine. However, if I understand how Claude Code is implemented, it is just calling the claude-code executable and essentially rendering a "view" that it runs in. I could be wrong there, but there is definitely something different and it isn't respecting the trusted certs in the MacOS keychain.
I ended up setting this environment variable: SSL_CERT_FILE
When that is pointing to an exported trusted root certificate, it works. But without it it doesn't. I tried with Claude Desktop Version 1.1.4498 (24f768)
Oh I see, I'll check in with folks tomorrow and see what the state is with Claude Code for Desktop. Definitely want to support custom CAs _somehow_ there
@MarshallOfSound same issue with setting up explicit proxy using the env variable HTTPS_PROXY or the arg --proxy-pac-url, both don't propagate from the Claude desktop app to Cowork environment. Happy to open another issue if you feel it's too distinct from this issue - but it feels to me it's the same root cause.
On MacOS, providing
SSL_CERT_FILEwas a suitable fix though difficult to deploy without affecting other applications. Our test suite includes MCPs, and WebFetch/WebSearch.Claude Code in Claude Desktop on Windows is not fixed by supplying the
SSL_CERT_FILEenvironment variable.If anyone finds a resolution for Claude Code in Claude Desktop on Windows, please give me a mention! Greatly appreciated.
Unfortunately, setting
SSL_CERT_FILEto my employer's cert bundle does not fix the Claude Code through the Claude Desktop app on MacOS when SSL interception is enforced. Cowork and Chat work fine however.I'm on version
Claude 1.1.7714 (3bd6f6) 2026-03-19T14:50:53.000ZSetting the NODE_EXTRA_CA_CERTS plus SSL_CERT_FILE got my Claude Code in Claude Desktop for Windows working after fully closing Claude from the notification area, for the CLI just NODE_EXTRA_CA_CERTS was needed
likely a Claude Desktop version issue over 48 hrs: on macOS, claude code in vs code suddenly had the issue indicated in this thread. put in export NODE_TLS_REJECT_UNAUTHORIZED=0, CC worked. about 12 hours later, updated claude desktop. 12 hrs later, CC stoped working. unset that env, now working again ...throughout, claude desktop was working. bet claude desktop messed up with claude code.
it was working fine for me yesterday, after I updated new version.
Hey @MarshallOfSound and everyone else, I had this exact same issue in a corporate environment today, and our security guy found a really solid workaround
This part is universally required:
This part is just for Claude via terminal:
This part is just for Claude Desktop:
~/Library/LaunchAgents/com.claude.env.plistlaunchctl load ~/Library/LaunchAgents/com.claude.env.plistin a terminal to load the file you just madekillall claudein the terminal should do the trick if it's being stubbornBasically, we figured out that the Bun runtime isolates some network stuff so it can't see these certs, this workaround should be all you need if you're still having this issue
@asyncjake 's fix for Claude Code on Desktop also works for Windows, here's how!
This Powershell script exports all root certificates to a single pem file. Make sure to correct your outDir Variable to some path where you want to store your certificates. Note that this is referenced for future certifacte usages, so if you fundamentally update your certificates, you might have to repeat the export. So this is only a temporary solution until a more permanent comes along!
Then, execute these commands, also mind the correct path for your machine:
Afterwards, force kill Claude like so:
After the restart, Claude code worked fine!
This started affecting our Windows 11/AMD64 users this week. They were unable to access a remote MCP due to node complaining about the cert. MacOs users and Windows 2025, Windows 11/Arm64 were not affected. Uninstalling and reinstalling claude from the downloads available yesterday did not fix the issue. The version reported for all windows users was the same: Version 1.6608.2 (ebf1a1). Env vars seemed to be ignored, so ultimately, I fixed our affected users by downloading node and running a local proxy terminated on their machine. Looking forward to this being fixed. I have a lengthy report prepared by claude which I will omit because I think most of it is captured above.
<img width="778" height="105" alt="Image" src="https://github.com/user-attachments/assets/4220bda2-ee4d-4ae6-87dc-ce55e3cb0287" />
API Error: Unable to connect to API: Self-signed certificate detected. Check your proxy or corporate SSL certificatesRelogin doesn't help.
My solution for Claude Code: https://github.com/anthropics/claude-code/issues/74369#issuecomment-4889223409.
Not sure if it can fix Claude Cowork for others because I don't use it yet.