[BUG] SSL certificate configuration don't work with web page `Fetch` (but works with MCP)

Open 💬 5 comments Opened Jul 21, 2025 by saiya

Environment

  • Platform (select one):
  • [ ] Anthropic API
  • [x] AWS Bedrock
  • [ ] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: 1.0.56 (Claude Code)
  • Operating System: Mac OS 15.5
  • Terminal: Terminal.app

Bug Description

Despite having SSL_CERT_FILE and NODE_EXTRA_CA_CERTS configuration (as suggested here), Claude Code fails to fetch web pages.

Steps to Reproduce

  1. Set up PC with a company's network tool that intercepts HTTPS/TLS (at the OS layer) but is NOT a proxy
  2. Configure SSL_CERT_FILE and NODE_EXTRA_CA_CERTS in ~/.claude/settings.json (do NOT set HTTPS_PROXY because the network tool is not a proxy)
  3. Have Claude Code fetch any web page
  4. Choose yes for the Do you want to proceed?

Expected Behavior

Claude Code should be able to fetch web pages.

Actual Behavior

Claude Code displays the error message: Error: Domain yahoo.co.jp is not allowed to be fetched.

Additional Context

  1. Even under the same configuration and setup, remote MCP works well despite also using HTTPS communication
  2. If I temporarily turn off the company's network interception tool, web page fetching works correctly
  3. When I ask Claude Code to show environment variables, it correctly displays the variables I set:
> Please show your environment variable value of SSL_CERT_FILE and NODE_EXTRA_CA_CERTS

⏺ Bash(echo "SSL_CERT_FILE: $SSL_CERT_FILE" && echo "NODE_EXTRA_CA_CERTS: $NODE_EXTRA_CA_CERTS")
  ⎿  SSL_CERT_FILE: /Users/s-yazaki/ZscalerRootCA.pem
     NODE_EXTRA_CA_CERTS: /Users/s-yazaki/ZscalerRootCA.pem

⏺ Both SSL_CERT_FILE and NODE_EXTRA_CA_CERTS are set to /Users/s-yazaki/ZscalerRootCA.pem, indicating you're using Zscaler's corporate proxy with custom CA certificates.
  1. Even under the same configuration and setup (with the company's tool enabled), using curl through Claude Code works correctly
> Can you try `curl` on that page? It likely works

⏺ Bash(curl -s https://yahoo.co.jp | head -20)
  ⎿  (No content)

⏺ Bash(curl -I https://yahoo.co.jp)
  ⎿  HTTP/1.1 301 Redirect
     Date: Mon, 21 Jul 2025 04:34:17 GMT
     Connection: close
     … +11 lines (ctrl+r to expand)

(snip)

⏺ Yes, curl works fine! The page loads successfully through the corporate proxy. The issue is that the WebFetch tool has domain restrictions that prevent it from accessing yahoo.co.jp, even though the network connection works properly through curl with the Zscaler certificates.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗