Go-based CLI tools (gh, terraform, etc.) fail with TLS error due to built-in HTTPS proxy
Bug Description
Claude Code runs a local HTTPS proxy (on a random port, e.g. localhost:62532) and sets HTTPS_PROXY/HTTP_PROXY environment variables to route subprocess network traffic through it. This proxy is active even when sandbox mode is disabled.
Go-based CLI tools like gh (GitHub CLI) fail with a TLS certificate verification error because Go's crypto/x509 package on macOS delegates to the native Security framework (SecTrustEvaluateWithError), which cannot verify the proxy's MITM certificate.
curl works fine because it uses LibreSSL/OpenSSL, which handles the proxy's certificate differently.
Steps to Reproduce
- Open Claude Code on macOS
- Run any
ghcommand that hits the network:
``bash``
gh pr list
- Observe the error:
````
Post "https://api.github.com/graphql": tls: failed to verify certificate: x509: OSStatus -26276
Expected Behavior
gh (and other Go-based CLIs) should work through Claude Code's proxy, just as curl does.
Investigation Details
- The proxy process is Claude Code itself:
```
COMMAND PID USER FD TYPE DEVICE NODE NAME
2.1.45 78322 user 12u IPv4 ... TCP localhost:62532 (LISTEN)
~/.local/share/claude/versions/2.1.45`
Binary:
- Environment variables set by Claude Code:
````
HTTP_PROXY=http://localhost:62532
HTTPS_PROXY=http://localhost:62532
- Unsetting the proxy vars causes complete network failure (no connectivity at all), confirming the proxy is required for network access.
enableWeakerNetworkIsolationsetting does not fix this.
- The error
OSStatus -26276is a macOS Security framework error indicating the certificate chain is untrusted.
Workaround
Use curl with the GitHub REST API instead of gh:
curl -s -X POST https://api.github.com/repos/owner/repo/pulls \
-H "Authorization: token $(gh auth token)" \
-H "Accept: application/vnd.github+json" \
-d '{ ... }'
Impact
This affects all Go-based CLI tools run from within Claude Code, including:
gh(GitHub CLI)terraformkubectl- Any other Go binary that makes HTTPS requests
Environment
- Claude Code version: 2.1.45
- OS: macOS 26.2 (Build 25C56)
- Architecture: arm64 (Apple Silicon)
- gh version: 2.83.1
- Sandbox mode: Disabled (issue persists regardless)
Possible Fix
The proxy could:
- Generate a CA cert and add it to a temp cert bundle that Go can read via
SSL_CERT_FILE(Go respects this on Linux but not always on macOS with cgo) - Inject the CA cert into the macOS login keychain temporarily
- Provide a mechanism to bypass the proxy for specific trusted hosts/tools
This issue has 10 comments on GitHub. Read the full discussion on GitHub ↗