[BUG] Claude Code loads fixed subset (10) of system CA certificates regardless of CLAUDE_CODE_CERT_STORE value — primary /v1/messages requests fail with UNABLE_TO_GET_ISSUER_CERT
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Bug description
The primary API request path (claude --print, /v1/messages) fails withUNABLE_TO_GET_ISSUER_CERT / "unable to get issuer certificate" on a machine
with a fully intact, verified macOS System trust store. Debug logs show the
binary consistently loads only 10 system CA certificates, regardless of
CLAUDE_CODE_CERT_STORE value — a normal macOS System keychain contains
150-200+ trusted roots.
Environment
- Claude Code version: 2.1.197 (native/Bun binary)
- OS: macOS
- Network: behind Zscaler TLS-inspection proxy (org-managed)
Evidence this is not a Zscaler/network/trust-store problem
security verify-certagainst exported Zscaler root CA: successopenssl s_client -connect api.anthropic.com:443(no -CAfile, default OS
trust store): Verify return code: 0 (ok)
openssl s_client -showcertsagainst api.anthropic.com:
issuer=C=US, O=Google Trust Services, CN=WE1 — confirms Zscaler is NOT
intercepting this host; chain resolves via standard public CA.
Evidence pointing at the binary's cert loader
- Debug log: "CA certs: Loaded 10 system CA certificates" — consistent
across every run tested
- CLAUDE_CODE_CERT_STORE=system → still loads exactly 10
- CLAUDE_CODE_CERT_STORE=bundled,system → still loads exactly 10
- NODE_EXTRA_CA_CERTS set to valid Zscaler chain file — confirmed loaded
per log ("Appended extra certificates from NODE_EXTRA_CA_CERTS"), does
not resolve the failure
- Same run also shows claudeai-mcp bootstrap fetch and OTEL telemetry
export failing with identical UNABLE_TO_GET_ISSUER_CERT, suggesting the
fixed-10-cert subset affects every fetch path in the binary, not just
MCP OAuth
Related issues
- #55760 — same UNABLE_TO_GET_ISSUER_CERT symptom, scoped to MCP OAuth
initiation only; this report is the same root-cause class but affects
the primary /v1/messages path
- #25977 — WebFetch SSL failures behind Zscaler, same runtime
- #22512 — NODE_EXTRA_CA_CERTS in settings.json not effective
Conclusion
tls.getCACertificates (or equivalent) in the Bun-compiled binary appears
to return a fixed ~10-cert subset of the OS trust store regardless of
CLAUDE_CODE_CERT_STORE value or actual OS store size/integrity. Since
the OS-level chain to api.anthropic.com is confirmed clean, this looks
like a defect in the binary's system-store enumeration, not a
proxy/CA-config issue.
Happy to provide full debug logs if useful.
What Should Happen?
Expected behavior
Claude Code should either:
- Load the full macOS System trust store (150-200+ roots) when
CLAUDE_CODE_CERT_STORE includes "system", matching what
tls.getCACertificates returns natively and what security verify-cert
/ openssl s_client confirm is available on the OS, or
- If a fixed subset is intentional, document which certs are included
and why, so behavior is predictable rather than silently truncating
to 10 regardless of config.
At minimum, /v1/messages requests should succeed when the OS-level TLS
chain to api.anthropic.com is independently verified as valid
(confirmed via openssl s_client, Verify return code: 0).
Error Messages/Logs
### Logs
2026-07-01T08:59:22.192Z [DEBUG] CA certs: stores=system, extraCertsPath=<redacted-local-path>/zscaler-ca-chain.pem
2026-07-01T08:59:22.192Z [DEBUG] CA certs: Loaded 10 system CA certificates
2026-07-01T08:59:22.192Z [DEBUG] CA certs: Appended extra certificates from NODE_EXTRA_CA_CERTS (<redacted-local-path>/zscaler-ca-chain.pem)
2026-07-01T08:59:22.265Z [DEBUG] CA certs: Loaded 10 system CA certificates
2026-07-01T08:59:22.281Z [DEBUG] CA certs: Loaded 10 system CA certificates
2026-07-01T08:59:40.871Z [ERROR] Connection error details: code=UNABLE_TO_GET_ISSUER_CERT (SSL error), message=unable to get issuer certificate
at makeRequest (cli.js:52:6797)
2026-07-01T08:59:40.978Z [ERROR] 1P event logging: 9 events failed to export (code=UNABLE_TO_GET_ISSUER_CERT, unable to get issuer certificate)
Steps to Reproduce
Steps to reproduce
- On macOS with a corporate TLS-inspection proxy (e.g. Zscaler) whose
root CA is installed and trusted in the System keychain
- Verify OS-level trust is intact:
security verify-cert -c <exported-root.pem> - Verify clean chain to Anthropic's API: `openssl s_client -connect
api.anthropic.com:443 </dev/null 2>&1 | grep "Verify return code"`
→ returns 0 (ok)
- Run
claude --debug --print "test" - Observe debug log: "CA certs: Loaded 10 system CA certificates"
- Request fails: UNABLE_TO_GET_ISSUER_CERT
- Repeat with CLAUDE_CODE_CERT_STORE=system and
CLAUDE_CODE_CERT_STORE=bundled,system — count stays at 10 in both cases
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.197 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗