Problem
When agentic workflows use the DIFC proxy (cli-proxy / byok-copilot feature), gh repo clone and git clone commands fail with an SSL certificate verification error:
fatal: unable to access 'https://localhost:18443/...'
SSL certificate problem: unable to get local issuer certificate (OpenSSL verify result 20)
All repository clone operations fail because git cannot verify the proxy's TLS certificate against the local CA trust store.
Context
Root Cause
The DIFC proxy at localhost:18443 terminates TLS with its own certificate. When gh repo clone runs inside the AWF sandbox, git uses HTTPS to connect through the proxy. The proxy's CA certificate is not in the system trust store, so OpenSSL rejects the connection.
This affects any tool that performs HTTPS operations through the proxy and does strict certificate verification (git, curl without -k, etc.).
Impact
- 18/18 ecosystem test projects failed to clone in the Build Test Suite
- Any workflow using
byok-copilot: true or cli-proxy: true that runs gh repo clone or git clone will hit this
Potential Solutions
- Inject the proxy CA cert into the system trust store during proxy startup (e.g., copy CA cert to
/usr/local/share/ca-certificates/ and run update-ca-certificates, or set GIT_SSL_CAINFO/GIT_SSL_CAPATH env vars)
- Set
http.sslCAInfo in git config to point to the proxy's CA certificate bundle
- Export a
NODE_EXTRA_CA_CERTS / SSL_CERT_FILE env var so that git, curl, and other tools trust the proxy's certificate
- Provide a setup hook that gh-aw-actions/setup can call to configure certificate trust before the agent runs
Problem
When agentic workflows use the DIFC proxy (cli-proxy / byok-copilot feature),
gh repo cloneandgit clonecommands fail with an SSL certificate verification error:All repository clone operations fail because git cannot verify the proxy's TLS certificate against the local CA trust store.
Context
gh repo clonethrough the DIFC proxy)Root Cause
The DIFC proxy at
localhost:18443terminates TLS with its own certificate. Whengh repo cloneruns inside the AWF sandbox, git uses HTTPS to connect through the proxy. The proxy's CA certificate is not in the system trust store, so OpenSSL rejects the connection.This affects any tool that performs HTTPS operations through the proxy and does strict certificate verification (git, curl without
-k, etc.).Impact
byok-copilot: trueorcli-proxy: truethat runsgh repo cloneorgit clonewill hit thisPotential Solutions
/usr/local/share/ca-certificates/and runupdate-ca-certificates, or setGIT_SSL_CAINFO/GIT_SSL_CAPATHenv vars)http.sslCAInfoin git config to point to the proxy's CA certificate bundleNODE_EXTRA_CA_CERTS/SSL_CERT_FILEenv var so that git, curl, and other tools trust the proxy's certificate