[BUG] Claude Code (Windows) fails under enterprise SSL inspection — ignores system & custom CA trust

Resolved 💬 3 comments Opened Mar 30, 2026 by rprince-adflegal-org Closed Mar 30, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

📩 Anthropic Support Ticket (Tailored)
Subject: Claude Code (Windows) fails under enterprise SSL inspection — ignores system & custom CA trust

Summary
Claude Code for Windows fails to establish outbound HTTPS connections in enterprise environments that perform SSL/TLS inspection using a trusted corporate root CA. The bundled Bun runtime does not honor:

Windows system trust store
NODE_EXTRA_CA_CERTS
BUN_USE_OPENSSL_CA

All network features fail with SELF_SIGNED_CERT_IN_CHAIN, even though the same environment works correctly for browsers, Git, curl, and other SSL‑aware tools.
This appears to be a runtime trust / CA resolution issue, not user misconfiguration.

Environment

OS: Windows 11 (enterprise‑managed)
Claude Code: 2.1.87 (win32‑x64)
Editor: Windsurf (Claude Code extension)
Runtime: Bundled claude.exe (Bun)
Network: Corporate SSL inspection / MITM

Corporate root CA trusted by Windows

Auth: OAuth tokens present and detected successfully

Expected Behavior
Claude Code should establish TLS connections to Anthropic endpoints when the system or user trust store includes the corporate root CA, consistent with Node/OpenSSL behavior.
Endpoints affected:

https://api.anthropic.com/api/oauth/profile
https://api.anthropic.com/api/claude_cli/bootstrap
https://api.anthropic.com/v1/mcp_servers

Actual Behavior
All outbound HTTPS requests fail with:
SELF_SIGNED_CERT_IN_CHAIN

Resulting in:

OAuth profile fetch failure
MCP registry failure
Fast Mode disabled
Telemetry export failure
Repeated retry loops during startup

Local (offline) functionality works, but all network features fail.

Key Diagnostics
Claude Code logs consistently report the following throughout startup:
CA certs: useSystemCA=false, extraCertsPath=undefined

This appears after initialization, suggesting the runtime explicitly disables system CA usage.

Mitigations Attempted (All unsuccessful)

Corporate root CA installed in Windows Trusted Root store
NODE_EXTRA_CA_CERTS=<corp-root.pem>
BUN_USE_OPENSSL_CA=1
Full editor restart / OS reboot
Claude cache removal
Claude Code reinstall

As a debug confirmation, disabling TLS verification allows requests to proceed, confirming the issue is CA trust resolution rather than connectivity.

Impact
Claude Code is effectively unusable on standard enterprise networks with SSL inspection, preventing adoption in corporate environments.

Request for Support
Could the Claude Code team please investigate:

Why the bundled Bun runtime does not honor Windows system trust
Why NODE_EXTRA_CA_CERTS is ignored
Why BUN_USE_OPENSSL_CA does not alter CA behavior
Whether an enterprise‑supported TLS configuration or workaround exists

A redacted log bundle is attached below illustrating the failure mode.
Thank you — happy to provide additional diagnostics if helpful.

What Should Happen?

Expected Behavior
Claude Code should establish TLS connections to Anthropic endpoints when the system or user trust store includes the corporate root CA, consistent with Node/OpenSSL behavior.
Endpoints affected:

https://api.anthropic.com/api/oauth/profile
https://api.anthropic.com/api/claude_cli/bootstrap
https://api.anthropic.com/v1/mcp_servers

Error Messages/Logs

Steps to Reproduce

Steps to Reproduce
Prerequisites

A Windows 11 machine on an enterprise‑managed network that performs SSL/TLS inspection (MITM).
A corporate root CA certificate trusted by Windows:

Present in Trusted Root Certification Authorities
Verified working in browsers and Git.

Internet access that allows outbound HTTPS but performs certificate re‑signing.
No outbound firewall rule blocking api.anthropic.com.

Step‑by‑Step

Install Claude Code for Windows

Install Claude Code v2.1.87 (win32‑x64).
Use either:

Windsurf with the Claude Code extension, or
Claude Code CLI directly (same behavior).

Confirm baseline network trust

Open a browser and visit:
https://api.anthropic.com
Confirm the page loads without certificate warnings.
Confirm git fetch works against HTTPS remotes.
(Optional) Confirm curl https://api.anthropic.com succeeds if curl trusts system CAs.

Launch Claude Code

Start Windsurf (or Claude Code CLI).
Ensure Claude Code initializes normally.
Observe logs indicating:
OAuth tokens found in secure storage

Observe TLS behavior during startup

Watch Claude Code logs as startup proceeds.
Note repeated entries similar to:
CA certs: useSystemCA=false, extraCertsPath=undefined

Claude attempts to reach:

/api/oauth/profile
/api/claude_cli/bootstrap
/v1/mcp_servers

Observe failures

All outbound HTTPS requests fail with:
Error: self signed certificate in certificate chain
code=SELF_SIGNED_CERT_IN_CHAIN

Consequences:

Fast Mode disabled
MCP registry fetch fails
Telemetry export fails
Repeated retry attempts during startup

Mitigation Attempts (Confirming Repro)

Attempt official CA configuration

Set environment variable:
NODE_EXTRA_CA_CERTS=<path to corporate root CA PEM>

Restart all editor instances and Claude Code.
Result: ❌ No change

Attempt Bun CA override

Set environment variable:
BUN_USE_OPENSSL_CA=1

Restart all editor instances and Claude Code.
Result: ❌ No change
Logs still show:
CA certs: useSystemCA=false

(Optional diagnostic confirmation)

Temporarily disable TLS verification via runtime debug flag.
Claude Code can now reach Anthropic endpoints.
Confirms failure is CA trust resolution, not connectivity or auth.

Expected Result
Claude Code successfully establishes TLS connections to Anthropic endpoints when the corporate root CA is trusted by the system or explicitly configured via environment variables.

Actual Result
Claude Code fails all outbound HTTPS connections with SELF_SIGNED_CERT_IN_CHAIN, ignoring both system trust and user‑supplied CA configuration.

Repro Reliability
100% reproducible on enterprise networks with SSL inspection.
Not reproducible on:

Home networks
Hotspot connections
Networks without TLS MITM

Notes for Engineering

Failure occurs despite valid OAuth state.
Failure persists across reinstalls and cache clears.
Logs strongly indicate the Bun runtime initializes with CA trust disabled.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

1.1.8986 (17fe18)

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗