Skip to content

fix(mcp): preserve default CAs with NODE_EXTRA_CA_CERTS#2432

Merged
fahreddinozcan merged 10 commits intomasterfrom
fix/node-extra-ca-certs-support
Apr 10, 2026
Merged

fix(mcp): preserve default CAs with NODE_EXTRA_CA_CERTS#2432
fahreddinozcan merged 10 commits intomasterfrom
fix/node-extra-ca-certs-support

Conversation

@fahreddinozcan
Copy link
Copy Markdown
Contributor

@fahreddinozcan fahreddinozcan commented Apr 10, 2026
edited
Loading

Summary

  • preserve Node's default trusted CAs when NODE_EXTRA_CA_CERTS is configured
  • keep custom CA support for both direct and proxy MCP requests
  • add regression coverage for custom CA loading
  • keep only the follow-up fix changeset in this PR

Validation

  • pnpm --dir packages/mcp lint:check
  • pnpm --dir packages/mcp test
  • live repro verified: old custom-CA-only behavior failed with UNABLE_TO_GET_ISSUER_CERT_LOCALLY, patched behavior succeeded

mvanhorn and others added 8 commits March 17, 2026 23:29
@mvanhorn @claude
fix(mcp): support NODE_EXTRA_CA_CERTS for enterprise MITM proxies
2a9b2e3 
When NODE_EXTRA_CA_CERTS is set, reads the CA certificate file and
injects it into undici's global dispatcher. This fixes fetch failures
behind enterprise transparent SSL intercept proxies (Zscaler, etc.)
where the default TLS context does not trust the corporate CA.

The CA certs are also passed through when an explicit HTTPS_PROXY is
configured, so both proxy modes work with custom certificates.

Fixes #2268

This contribution was developed with AI assistance (Claude Code).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fahreddinozcan
chore: add changeset for NODE_EXTRA_CA_CERTS support
0df9113
@fahreddinozcan
fix(mcp): preserve default CAs with NODE_EXTRA_CA_CERTS
642a5c3
@fahreddinozcan
chore: add changeset for CA trust fix
9f13a27
@fahreddinozcan
Merge branch 'master' of https://github.com/upstash/context7 into fix…
99e95c8 
…/node-extra-ca-certs-support

# Conflicts:
#	packages/mcp/src/lib/api.ts
@fahreddinozcan
chore: remove superseded changeset
a22c7df
@fahreddinozcan
fix(mcp): lint test files with test tsconfig
ddfd2e1
@fahreddinozcan
fix(mcp): use explicit test file path
bf28b6e
@fahreddinozcan fahreddinozcan changed the title Fix/node extra ca certs support fix(mcp): preserve default CAs with NODE_EXTRA_CA_CERTS Apr 10, 2026
@fahreddinozcan fahreddinozcan merged commit 00833f9 into master Apr 10, 2026
3 checks passed
@fahreddinozcan fahreddinozcan deleted the fix/node-extra-ca-certs-support branch April 10, 2026 10:05
This was referenced Apr 10, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enesgules enesgules enesgules approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fahreddinozcan @enesgules @mvanhorn