[BUG] SSL certificate configuration don't work with web page `Fetch` (but works with MCP)
Open 💬 5 comments Opened Jul 21, 2025 by saiya
Environment
- Platform (select one):
- [ ] Anthropic API
- [x] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: 1.0.56 (Claude Code)
- Operating System: Mac OS 15.5
- Terminal: Terminal.app
Bug Description
Despite having SSL_CERT_FILE and NODE_EXTRA_CA_CERTS configuration (as suggested here), Claude Code fails to fetch web pages.
Steps to Reproduce
- Set up PC with a company's network tool that intercepts HTTPS/TLS (at the OS layer) but is NOT a proxy
- Configure
SSL_CERT_FILEandNODE_EXTRA_CA_CERTSin~/.claude/settings.json(do NOT setHTTPS_PROXYbecause the network tool is not a proxy) - Have Claude Code fetch any web page
- Choose
yesfor theDo you want to proceed?
Expected Behavior
Claude Code should be able to fetch web pages.
Actual Behavior
Claude Code displays the error message: Error: Domain yahoo.co.jp is not allowed to be fetched.
Additional Context
- Even under the same configuration and setup, remote MCP works well despite also using HTTPS communication
- If I temporarily turn off the company's network interception tool, web page fetching works correctly
- When I ask Claude Code to show environment variables, it correctly displays the variables I set:
> Please show your environment variable value of SSL_CERT_FILE and NODE_EXTRA_CA_CERTS
⏺ Bash(echo "SSL_CERT_FILE: $SSL_CERT_FILE" && echo "NODE_EXTRA_CA_CERTS: $NODE_EXTRA_CA_CERTS")
⎿ SSL_CERT_FILE: /Users/s-yazaki/ZscalerRootCA.pem
NODE_EXTRA_CA_CERTS: /Users/s-yazaki/ZscalerRootCA.pem
⏺ Both SSL_CERT_FILE and NODE_EXTRA_CA_CERTS are set to /Users/s-yazaki/ZscalerRootCA.pem, indicating you're using Zscaler's corporate proxy with custom CA certificates.
- Even under the same configuration and setup (with the company's tool enabled), using
curlthrough Claude Code works correctly
> Can you try `curl` on that page? It likely works
⏺ Bash(curl -s https://yahoo.co.jp | head -20)
⎿ (No content)
⏺ Bash(curl -I https://yahoo.co.jp)
⎿ HTTP/1.1 301 Redirect
Date: Mon, 21 Jul 2025 04:34:17 GMT
Connection: close
… +11 lines (ctrl+r to expand)
(snip)
⏺ Yes, curl works fine! The page loads successfully through the corporate proxy. The issue is that the WebFetch tool has domain restrictions that prevent it from accessing yahoo.co.jp, even though the network connection works properly through curl with the Zscaler certificates.This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗