[BUG] HTTP hooks fail with "unknown certificate verification error" - bundled TLS ignores system CA store

Resolved 💬 6 comments Opened Mar 7, 2026 by Ejb503 Closed Apr 7, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

HTTP hooks configured via marketplace plugins fail with unknown certificate verification error for servers using Let's Encrypt ECDSA certificates (E7 intermediate). The TLS handshake fails before any data is sent, so hook payloads never reach the server.

The same HTTPS URLs work correctly with curl, node, and openssl s_client from the same machine. The binary's bundled TLS stack does not use the system CA certificate store and ignores all environment variables (SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, NODE_TLS_REJECT_UNAUTHORIZED=0).

What Should Happen?

HTTP hooks should successfully deliver payloads to HTTPS endpoints with valid Let's Encrypt certificates. The bundled TLS implementation should either use the system CA store or respect standard environment variables for CA configuration.

Error Messages/Logs

ERROR MESSAGES/LOGS:

UserPromptSubmit hook error
PreToolUse:Skill hook error
PostToolUse:Skill hook error
Stop hook error: unknown certificate verification error

Server-side debug logging confirms no requests from Claude Code reach the server. Manual `curl` to the same URL with the same payload succeeds.

Steps to Reproduce

  1. On WSL2, install a marketplace plugin that registers HTTP hooks to an HTTPS endpoint using a Let's Encrypt ECDSA certificate (E7 intermediate):

{
"hooks": {
"PostToolUse": [{
"matcher": "*",
"hooks": [{
"type": "http",
"url": "https://example.com/hooks/track",
"headers": { "Authorization": "Bearer <token>" },
"timeout": 30
}]
}]
}
}

  1. Run Claude Code: claude
  2. Type any prompt (e.g. hello)
  3. Observe "hook error" on every event
  4. On the Stop event, the full error is visible: Stop hook error: unknown certificate verification error

Certificate details for the target server:

subject: CN=systemprompt.io
issuer: C=US; O=Let's Encrypt; CN=E7
key: 256-bit ECDSA (P-256)
chain: ISRG Root X1 -> Let's Encrypt E7 -> systemprompt.io

Workarounds attempted (none worked):

  • NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
  • SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
  • NODE_TLS_REJECT_UNAUTHORIZED=0
  • All three combined

The system CA bundle contains 146 root certificates including ISRG Root X1.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.71 (Claude Code)

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

_No response_

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗