Description
[Description]
Inside a sandbox, a plain git clone https:/// fails with "server certificate verification failed" because git does not trust the OpenShell L7 proxy's re-signed certificate.
[Environment]
Device: Ubuntu 22.04
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker Engine 29.4.0 (build 9d7ad9f)
OpenShell CLI: openshell m-dev
NemoClaw: v0.0.22
OpenClaw (inside sandbox): 2026.4.2
[Steps to Reproduce]
- nemoclaw onboard (name: my-assistant, any provider; Balanced preset tier)
- nemoclaw my-assistant policy-add github
- nemoclaw my-assistant connect
- (inside sandbox) git clone https://github.com/octocat/Hello-World.git /tmp/test-repo
[Expected Result]
Step 4 git clones successfully.
[Actual Result]
Step 4 fails at TLS verification:
sandbox@my-assistant:~$ git clone https://github.com/octocat/Hello-World.git /tmp/test-repo 2>&1
Cloning into '/tmp/test-repo'...
fatal: unable to access 'https://github.com/octocat/Hello-World.git/':
server certificate verification failed. CAfile: none CRLfile: none
The sandbox env DOES advertise the CA bundle, but not in a form git recognizes:
sandbox@my-assistant:~$ env | grep -iE "SSL|CA|CERT"
NODE_EXTRA_CA_CERTS=/etc/openshell-tls/openshell-ca.pem
CURL_CA_BUNDLE=/etc/openshell-tls/ca-bundle.pem
SSL_CERT_FILE=/etc/openshell-tls/ca-bundle.pem
REQUESTS_CA_BUNDLE=/etc/openshell-tls/ca-bundle.pem
Re-running the same clone with GIT_SSL_CAINFO set explicitly succeeds:
sandbox@my-assistant:$ GIT_SSL_CAINFO=/etc/openshell-tls/ca-bundle.pem
git clone https://github.com/octocat/Hello-World.git /tmp/test-repo
Cloning into '/tmp/test-repo'...
remote: Enumerating objects: 13, done.
remote: Total 13 (delta 0), reused 0 (delta 0), pack-reused 13
Receiving objects: 100% (13/13), done.
sandbox@my-assistant:$ ls /tmp/test-repo/
README
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Security |
[NVB#6103552]
Description
[Description]
Inside a sandbox, a plain git clone https:/// fails with "server certificate verification failed" because git does not trust the OpenShell L7 proxy's re-signed certificate.
[Environment]
Device: Ubuntu 22.04
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker Engine 29.4.0 (build 9d7ad9f)
OpenShell CLI: openshell m-dev
NemoClaw: v0.0.22
OpenClaw (inside sandbox): 2026.4.2
[Steps to Reproduce]
[Expected Result]
Step 4 git clones successfully.
[Actual Result]
Step 4 fails at TLS verification:
sandbox@my-assistant:~$ git clone https://github.com/octocat/Hello-World.git /tmp/test-repo 2>&1
Cloning into '/tmp/test-repo'...
fatal: unable to access 'https://github.com/octocat/Hello-World.git/':
server certificate verification failed. CAfile: none CRLfile: none
The sandbox env DOES advertise the CA bundle, but not in a form git recognizes:
sandbox@my-assistant:~$ env | grep -iE "SSL|CA|CERT"
NODE_EXTRA_CA_CERTS=/etc/openshell-tls/openshell-ca.pem
CURL_CA_BUNDLE=/etc/openshell-tls/ca-bundle.pem
SSL_CERT_FILE=/etc/openshell-tls/ca-bundle.pem
REQUESTS_CA_BUNDLE=/etc/openshell-tls/ca-bundle.pem
Re-running the same clone with
GIT_SSL_CAINFOset explicitly succeeds:sandbox@my-assistant:
$ GIT_SSL_CAINFO=/etc/openshell-tls/ca-bundle.pem$ ls /tmp/test-repo/git clone https://github.com/octocat/Hello-World.git /tmp/test-repo
Cloning into '/tmp/test-repo'...
remote: Enumerating objects: 13, done.
remote: Total 13 (delta 0), reused 0 (delta 0), pack-reused 13
Receiving objects: 100% (13/13), done.
sandbox@my-assistant:
README
Bug Details
[NVB#6103552]