Go programs fail TLS verification through built-in proxy on macOS Tahoe (x509: OSStatus -26276)

Resolved 💬 0 comments Opened Jul 14, 2026 by dawnho Closed Jul 14, 2026

Description

Go-based CLI tools (gh, flyctl, and likely all Go programs) fail with TLS certificate verification errors when their traffic is routed through Claude Code's built-in network proxy on macOS Tahoe (26.x).

The proxy itself works correctly — curl succeeds through it, and the proxy is not performing TLS interception (real upstream certs are visible). The issue is specific to Go's crypto/x509 package, which on macOS uses Security.framework for certificate verification and returns OSStatus -26276 (errSecNotTrusted) when connecting through the CONNECT-style HTTP proxy.

Error

tls: failed to verify certificate: x509: OSStatus -26276

Steps to Reproduce

  1. Run Claude Code on macOS Tahoe (26.x)
  2. From within a Claude Code session, run any Go-based CLI tool that makes HTTPS requests:

``
gh api user
# or
flyctl apps list
``

  1. Both fail with the x509: OSStatus -26276 error

Expected Behavior

Go programs should be able to verify TLS certificates when connecting through Claude Code's built-in proxy, just as curl can.

Workaround

Run gh/flyctl in a separate terminal outside of Claude Code, where the proxy env vars are not set.

Environment

| Component | Version |
|-----------|---------|
| Claude Code | 2.1.207 |
| macOS | 26.5 (Tahoe), Build 25F71 |
| Architecture | arm64 (Apple Silicon) |
| gh | 2.93.0 (compiled with Go 1.26.3) |
| flyctl | 0.4.69 (compiled with Go 1.26.5) |

Diagnostic Details

  • The proxy runs on localhost:60615 (PID is Claude Code itself)
  • Proxy uses HTTP CONNECT tunneling (not TLS interception) — curl -v shows real upstream certs (e.g. Sectigo for github.com)
  • curl through the proxy returns HTTP 200 successfully
  • Bypassing the proxy (HTTPS_PROXY="" gh ...) eliminates the TLS error but hits the sandbox's operation not permitted on direct connections, confirming the proxy is required
  • SSL_CERT_FILE and GODEBUG=x509usefallbackroots=1 have no effect — Go 1.26 on macOS uses Security.framework exclusively
  • No custom/intercepting CA certificates are installed in the system keychain

View original on GitHub ↗