[BUG] Claude Code loads fixed subset (10) of system CA certificates regardless of CLAUDE_CODE_CERT_STORE value — primary /v1/messages requests fail with UNABLE_TO_GET_ISSUER_CERT

Open 💬 2 comments Opened Jul 1, 2026 by ryansabandal

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Bug description

The primary API request path (claude --print, /v1/messages) fails with
UNABLE_TO_GET_ISSUER_CERT / "unable to get issuer certificate" on a machine
with a fully intact, verified macOS System trust store. Debug logs show the
binary consistently loads only 10 system CA certificates, regardless of
CLAUDE_CODE_CERT_STORE value — a normal macOS System keychain contains
150-200+ trusted roots.

Environment

  • Claude Code version: 2.1.197 (native/Bun binary)
  • OS: macOS
  • Network: behind Zscaler TLS-inspection proxy (org-managed)

Evidence this is not a Zscaler/network/trust-store problem

  • security verify-cert against exported Zscaler root CA: success
  • openssl s_client -connect api.anthropic.com:443 (no -CAfile, default OS

trust store): Verify return code: 0 (ok)

  • openssl s_client -showcerts against api.anthropic.com:

issuer=C=US, O=Google Trust Services, CN=WE1 — confirms Zscaler is NOT
intercepting this host; chain resolves via standard public CA.

Evidence pointing at the binary's cert loader

  • Debug log: "CA certs: Loaded 10 system CA certificates" — consistent

across every run tested

  • CLAUDE_CODE_CERT_STORE=system → still loads exactly 10
  • CLAUDE_CODE_CERT_STORE=bundled,system → still loads exactly 10
  • NODE_EXTRA_CA_CERTS set to valid Zscaler chain file — confirmed loaded

per log ("Appended extra certificates from NODE_EXTRA_CA_CERTS"), does
not resolve the failure

  • Same run also shows claudeai-mcp bootstrap fetch and OTEL telemetry

export failing with identical UNABLE_TO_GET_ISSUER_CERT, suggesting the
fixed-10-cert subset affects every fetch path in the binary, not just
MCP OAuth

Related issues

  • #55760 — same UNABLE_TO_GET_ISSUER_CERT symptom, scoped to MCP OAuth

initiation only; this report is the same root-cause class but affects
the primary /v1/messages path

  • #25977 — WebFetch SSL failures behind Zscaler, same runtime
  • #22512 — NODE_EXTRA_CA_CERTS in settings.json not effective

Conclusion

tls.getCACertificates (or equivalent) in the Bun-compiled binary appears
to return a fixed ~10-cert subset of the OS trust store regardless of
CLAUDE_CODE_CERT_STORE value or actual OS store size/integrity. Since
the OS-level chain to api.anthropic.com is confirmed clean, this looks
like a defect in the binary's system-store enumeration, not a
proxy/CA-config issue.

Happy to provide full debug logs if useful.

What Should Happen?

Expected behavior

Claude Code should either:

  1. Load the full macOS System trust store (150-200+ roots) when

CLAUDE_CODE_CERT_STORE includes "system", matching what
tls.getCACertificates returns natively and what security verify-cert
/ openssl s_client confirm is available on the OS, or

  1. If a fixed subset is intentional, document which certs are included

and why, so behavior is predictable rather than silently truncating
to 10 regardless of config.

At minimum, /v1/messages requests should succeed when the OS-level TLS
chain to api.anthropic.com is independently verified as valid
(confirmed via openssl s_client, Verify return code: 0).

Error Messages/Logs

### Logs


2026-07-01T08:59:22.192Z [DEBUG] CA certs: stores=system, extraCertsPath=<redacted-local-path>/zscaler-ca-chain.pem
2026-07-01T08:59:22.192Z [DEBUG] CA certs: Loaded 10 system CA certificates
2026-07-01T08:59:22.192Z [DEBUG] CA certs: Appended extra certificates from NODE_EXTRA_CA_CERTS (<redacted-local-path>/zscaler-ca-chain.pem)
2026-07-01T08:59:22.265Z [DEBUG] CA certs: Loaded 10 system CA certificates
2026-07-01T08:59:22.281Z [DEBUG] CA certs: Loaded 10 system CA certificates
2026-07-01T08:59:40.871Z [ERROR] Connection error details: code=UNABLE_TO_GET_ISSUER_CERT (SSL error), message=unable to get issuer certificate
    at makeRequest (cli.js:52:6797)
2026-07-01T08:59:40.978Z [ERROR] 1P event logging: 9 events failed to export (code=UNABLE_TO_GET_ISSUER_CERT, unable to get issuer certificate)

Steps to Reproduce

Steps to reproduce

  1. On macOS with a corporate TLS-inspection proxy (e.g. Zscaler) whose

root CA is installed and trusted in the System keychain

  1. Verify OS-level trust is intact: security verify-cert -c <exported-root.pem>
  2. Verify clean chain to Anthropic's API: `openssl s_client -connect

api.anthropic.com:443 </dev/null 2>&1 | grep "Verify return code"`
→ returns 0 (ok)

  1. Run claude --debug --print "test"
  2. Observe debug log: "CA certs: Loaded 10 system CA certificates"
  3. Request fails: UNABLE_TO_GET_ISSUER_CERT
  4. Repeat with CLAUDE_CODE_CERT_STORE=system and

CLAUDE_CODE_CERT_STORE=bundled,system — count stays at 10 in both cases

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.197 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗