Description
In our company, we are using an proxy which "opens" TLS enrcyption with outside of our network for DPI. This proxy issues certificates using an internal PKI. Our internal LLM models also use certificates from our internal PKI. I am running opencode in the version 1.2.24 using Node 24.14.0 on Windows 11. I have set the environment variable NODE_EXTRA_CA_CERTS pointing to a file which contains the root certificate of our internal PKI in PEM format. The certificate is valid (today is between notBefore/notAfter).
The problem:
whenever I try to use any model (internal and external) I get the error message "certificate has expired" (which definitely is wrong, any error message regarding a self-signed certificate would be correct - assuming the environment variable is ignored or our root certificate has a problem).
Steps to identify the problem:
- Exception of external URLs of some models from SSL Decryption: these URLs work, the internal URL does not work
- Set NODE_TLS_REJECT_UNAUTHORIZED to 0: everything works as expected - apart from having a security issue
- Run simple programs in Node which only access these URLs: NODE_EXTRA_CA_CERTS is used, and everything works. Without NODE_EXTRA_CA_CERTS, I get the expected error message about self-signed certificates
- Run opencode in a container on the windows machine - everything works as expected.
- Tried the same setup in Node-Versions 20, 21 and 25
This points to a problem of the opencode-code in combination with Node for Windows. According to Copilot, Node for Windows seems to be a bit sensitive and ignores at least TLS-related environment variables, if:
- if the app overwrites https.globalAgent.options.ca
- if a package like axios, request, node-fetch, got replaces agents internally
- if the application is using tls.createSecureContext() directly
I did look at the other cases, the search has returned, but setting NODE_TLS_REJECT_UNAUTHORIZED to 0 is not a solution. Excluding URLs from SSL decryption is a workaround, but not a solution. The same is true for replacing the internal certificates for our internal models with certificates from public CAs.
Plugins
No response
OpenCode version
1.2.24
Steps to reproduce
- open Powershell (or command)
- set the environment variable NODE_EXTRA_CA_CERTS to the complete path of the internal root certificate
- start opencode
- select any model
- enter "hi" or anything
Screenshot and/or share link
No response
Operating System
Windows 11
Terminal
Windows Terminal
Description
In our company, we are using an proxy which "opens" TLS enrcyption with outside of our network for DPI. This proxy issues certificates using an internal PKI. Our internal LLM models also use certificates from our internal PKI. I am running opencode in the version 1.2.24 using Node 24.14.0 on Windows 11. I have set the environment variable NODE_EXTRA_CA_CERTS pointing to a file which contains the root certificate of our internal PKI in PEM format. The certificate is valid (today is between notBefore/notAfter).
The problem:
whenever I try to use any model (internal and external) I get the error message "certificate has expired" (which definitely is wrong, any error message regarding a self-signed certificate would be correct - assuming the environment variable is ignored or our root certificate has a problem).
Steps to identify the problem:
This points to a problem of the opencode-code in combination with Node for Windows. According to Copilot, Node for Windows seems to be a bit sensitive and ignores at least TLS-related environment variables, if:
I did look at the other cases, the search has returned, but setting NODE_TLS_REJECT_UNAUTHORIZED to 0 is not a solution. Excluding URLs from SSL decryption is a workaround, but not a solution. The same is true for replacing the internal certificates for our internal models with certificates from public CAs.
Plugins
No response
OpenCode version
1.2.24
Steps to reproduce
Screenshot and/or share link
No response
Operating System
Windows 11
Terminal
Windows Terminal