[BUG] HTTP hooks fail with "unknown certificate verification error" - bundled TLS ignores system CA store
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
HTTP hooks configured via marketplace plugins fail with unknown certificate verification error for servers using Let's Encrypt ECDSA certificates (E7 intermediate). The TLS handshake fails before any data is sent, so hook payloads never reach the server.
The same HTTPS URLs work correctly with curl, node, and openssl s_client from the same machine. The binary's bundled TLS stack does not use the system CA certificate store and ignores all environment variables (SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, NODE_TLS_REJECT_UNAUTHORIZED=0).
What Should Happen?
HTTP hooks should successfully deliver payloads to HTTPS endpoints with valid Let's Encrypt certificates. The bundled TLS implementation should either use the system CA store or respect standard environment variables for CA configuration.
Error Messages/Logs
ERROR MESSAGES/LOGS:
UserPromptSubmit hook error
PreToolUse:Skill hook error
PostToolUse:Skill hook error
Stop hook error: unknown certificate verification error
Server-side debug logging confirms no requests from Claude Code reach the server. Manual `curl` to the same URL with the same payload succeeds.
Steps to Reproduce
- On WSL2, install a marketplace plugin that registers HTTP hooks to an HTTPS endpoint using a Let's Encrypt ECDSA certificate (E7 intermediate):
{
"hooks": {
"PostToolUse": [{
"matcher": "*",
"hooks": [{
"type": "http",
"url": "https://example.com/hooks/track",
"headers": { "Authorization": "Bearer <token>" },
"timeout": 30
}]
}]
}
}
- Run Claude Code: claude
- Type any prompt (e.g. hello)
- Observe "hook error" on every event
- On the Stop event, the full error is visible: Stop hook error: unknown certificate verification error
Certificate details for the target server:
subject: CN=systemprompt.io
issuer: C=US; O=Let's Encrypt; CN=E7
key: 256-bit ECDSA (P-256)
chain: ISRG Root X1 -> Let's Encrypt E7 -> systemprompt.io
Workarounds attempted (none worked):
- NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
- SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
- NODE_TLS_REJECT_UNAUTHORIZED=0
- All three combined
The system CA bundle contains 146 root certificates including ISRG Root X1.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.71 (Claude Code)
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
_No response_
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗