[BUG] Claude Code (Windows) fails under enterprise SSL inspection — ignores system & custom CA trust
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
📩 Anthropic Support Ticket (Tailored)
Subject: Claude Code (Windows) fails under enterprise SSL inspection — ignores system & custom CA trust
Summary
Claude Code for Windows fails to establish outbound HTTPS connections in enterprise environments that perform SSL/TLS inspection using a trusted corporate root CA. The bundled Bun runtime does not honor:
Windows system trust store
NODE_EXTRA_CA_CERTS
BUN_USE_OPENSSL_CA
All network features fail with SELF_SIGNED_CERT_IN_CHAIN, even though the same environment works correctly for browsers, Git, curl, and other SSL‑aware tools.
This appears to be a runtime trust / CA resolution issue, not user misconfiguration.
Environment
OS: Windows 11 (enterprise‑managed)
Claude Code: 2.1.87 (win32‑x64)
Editor: Windsurf (Claude Code extension)
Runtime: Bundled claude.exe (Bun)
Network: Corporate SSL inspection / MITM
Corporate root CA trusted by Windows
Auth: OAuth tokens present and detected successfully
Expected Behavior
Claude Code should establish TLS connections to Anthropic endpoints when the system or user trust store includes the corporate root CA, consistent with Node/OpenSSL behavior.
Endpoints affected:
https://api.anthropic.com/api/oauth/profile
https://api.anthropic.com/api/claude_cli/bootstrap
https://api.anthropic.com/v1/mcp_servers
Actual Behavior
All outbound HTTPS requests fail with:
SELF_SIGNED_CERT_IN_CHAIN
Resulting in:
OAuth profile fetch failure
MCP registry failure
Fast Mode disabled
Telemetry export failure
Repeated retry loops during startup
Local (offline) functionality works, but all network features fail.
Key Diagnostics
Claude Code logs consistently report the following throughout startup:
CA certs: useSystemCA=false, extraCertsPath=undefined
This appears after initialization, suggesting the runtime explicitly disables system CA usage.
Mitigations Attempted (All unsuccessful)
Corporate root CA installed in Windows Trusted Root store
NODE_EXTRA_CA_CERTS=<corp-root.pem>
BUN_USE_OPENSSL_CA=1
Full editor restart / OS reboot
Claude cache removal
Claude Code reinstall
As a debug confirmation, disabling TLS verification allows requests to proceed, confirming the issue is CA trust resolution rather than connectivity.
Impact
Claude Code is effectively unusable on standard enterprise networks with SSL inspection, preventing adoption in corporate environments.
Request for Support
Could the Claude Code team please investigate:
Why the bundled Bun runtime does not honor Windows system trust
Why NODE_EXTRA_CA_CERTS is ignored
Why BUN_USE_OPENSSL_CA does not alter CA behavior
Whether an enterprise‑supported TLS configuration or workaround exists
A redacted log bundle is attached below illustrating the failure mode.
Thank you — happy to provide additional diagnostics if helpful.
What Should Happen?
Expected Behavior
Claude Code should establish TLS connections to Anthropic endpoints when the system or user trust store includes the corporate root CA, consistent with Node/OpenSSL behavior.
Endpoints affected:
https://api.anthropic.com/api/oauth/profile
https://api.anthropic.com/api/claude_cli/bootstrap
https://api.anthropic.com/v1/mcp_servers
Error Messages/Logs
Steps to Reproduce
Steps to Reproduce
Prerequisites
A Windows 11 machine on an enterprise‑managed network that performs SSL/TLS inspection (MITM).
A corporate root CA certificate trusted by Windows:
Present in Trusted Root Certification Authorities
Verified working in browsers and Git.
Internet access that allows outbound HTTPS but performs certificate re‑signing.
No outbound firewall rule blocking api.anthropic.com.
Step‑by‑Step
Install Claude Code for Windows
Install Claude Code v2.1.87 (win32‑x64).
Use either:
Windsurf with the Claude Code extension, or
Claude Code CLI directly (same behavior).
Confirm baseline network trust
Open a browser and visit:
https://api.anthropic.com
Confirm the page loads without certificate warnings.
Confirm git fetch works against HTTPS remotes.
(Optional) Confirm curl https://api.anthropic.com succeeds if curl trusts system CAs.
Launch Claude Code
Start Windsurf (or Claude Code CLI).
Ensure Claude Code initializes normally.
Observe logs indicating:
OAuth tokens found in secure storage
Observe TLS behavior during startup
Watch Claude Code logs as startup proceeds.
Note repeated entries similar to:
CA certs: useSystemCA=false, extraCertsPath=undefined
Claude attempts to reach:
/api/oauth/profile
/api/claude_cli/bootstrap
/v1/mcp_servers
Observe failures
All outbound HTTPS requests fail with:
Error: self signed certificate in certificate chain
code=SELF_SIGNED_CERT_IN_CHAIN
Consequences:
Fast Mode disabled
MCP registry fetch fails
Telemetry export fails
Repeated retry attempts during startup
Mitigation Attempts (Confirming Repro)
Attempt official CA configuration
Set environment variable:
NODE_EXTRA_CA_CERTS=<path to corporate root CA PEM>
Restart all editor instances and Claude Code.
Result: ❌ No change
Attempt Bun CA override
Set environment variable:
BUN_USE_OPENSSL_CA=1
Restart all editor instances and Claude Code.
Result: ❌ No change
Logs still show:
CA certs: useSystemCA=false
(Optional diagnostic confirmation)
Temporarily disable TLS verification via runtime debug flag.
Claude Code can now reach Anthropic endpoints.
Confirms failure is CA trust resolution, not connectivity or auth.
Expected Result
Claude Code successfully establishes TLS connections to Anthropic endpoints when the corporate root CA is trusted by the system or explicitly configured via environment variables.
Actual Result
Claude Code fails all outbound HTTPS connections with SELF_SIGNED_CERT_IN_CHAIN, ignoring both system trust and user‑supplied CA configuration.
Repro Reliability
100% reproducible on enterprise networks with SSL inspection.
Not reproducible on:
Home networks
Hotspot connections
Networks without TLS MITM
Notes for Engineering
Failure occurs despite valid OAuth state.
Failure persists across reinstalls and cache clears.
Logs strongly indicate the Bun runtime initializes with CA trust disabled.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
1.1.8986 (17fe18)
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗