[BUG] 2.1.181 native installer fails with "unable to get local issuer certificate" when system cert store is forced (regression of #51889)

Resolved 💬 2 comments Opened Jun 18, 2026 by thebrubaker Closed Jun 22, 2026

What's Wrong?

On the native build, claude install fails to fetch from downloads.claude.ai with unable to get local issuer certificate — but only when the cert store is forced to system, via either CLAUDE_CODE_CERT_STORE=system or NODE_OPTIONS=--use-system-ca.

This is a regression: 2.1.178 and 2.1.179 succeed under the identical environment; 2.1.181 fails 4/4. It went unnoticed for me because the trigger was a months-old, unrelated --use-system-ca in NODE_OPTIONS (added for a different tool) — the new install silently surfaced it.

Root Cause

downloads.claude.ai serves a leaf-only chain — no intermediate is sent (verified 10/10 via openssl s_client). The leaf is signed by Google Trust Services WR3, which anchors at GTS Root R4 — and that root is present in the macOS keychain (R1–R4 all present).

In system-store mode, 2.1.181 loads the keychain root but no longer bridges the leaf to it — it doesn't supply or fetch the missing WR3 intermediate — so verification fails with UNABLE_TO_GET_ISSUER_CERT_LOCALLY. 2.1.178/179 handle the same leaf-only chain + same store fine. bundled mode carries the intermediate and works on all versions.

What Should Happen?

claude install should verify downloads.claude.ai in system-store mode using the keychain root (as 2.1.178/179 do), resolving the omitted intermediate.

Error Messages/Logs

✘ Installation failed

Failed to fetch version from https://downloads.claude.ai/claude-code-releases/stable after 3 attempt(s): unable to get local issuer certificate

Try running with --force to override checks

Steps to Reproduce

# macOS, native install. Fails on 2.1.181, succeeds on 2.1.178/2.1.179:
CLAUDE_CODE_CERT_STORE=system <claude-binary> install stable
# equivalently:
NODE_OPTIONS=--use-system-ca <claude-binary> install stable

Deterministic results on the same machine (keychain contains GTS Root R1–R4):

| cert store | 2.1.178 / 2.1.179 | 2.1.181 |
|---|---|---|
| system (or --use-system-ca) | OK | FAIL |
| bundled | OK | OK |
| system,bundled | OK | OK |
| bundled,system | OK | OK |

Supporting evidence:

  • echo \| openssl s_client -connect downloads.claude.ai:443 -servername downloads.claude.ai returns 1 certificate (leaf only), Verify return code: 0 (ok) — system openssl resolves it; the 2.1.181 system-store path does not.
  • security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain lists GTS Root R1, R2, R3, R4 — the anchor is present.

Workaround

Set CLAUDE_CODE_CERT_STORE=system,bundled (the documented default) to restore the bundled fallback alongside the system store.

Is this a regression?

Yes. Last working version: 2.1.179. Broken in: 2.1.181. Same family as #51889 (closed Apr 2026) — appears to have regressed.

Platform

macOS (arm64), native install.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗