Preflight Checklist
What's Wrong?
Description:
The Code tab in Claude Desktop hangs and fails to connect when behind a corporate SSL-inspecting proxy (Zscaler). The Chat and Cowork tabs work correctly.
The root cause is that the desktop app does not forward the NODE_EXTRA_CA_CERTS environment variable to the Claude Code CLI subprocess it spawns.
Environment
- OS: macOS 15 (Darwin 24.6.0), Apple Silicon
- Claude Desktop: v1.1.1520
- Claude Code (bundled): v2.1.22
- Corporate proxy: Zscaler SSL inspection
Root cause
The Electron parent process does have NODE_EXTRA_CA_CERTS in its environment (confirmed via ps eww), but the CLI child process at ~/Library/Application
Support/Claude/claude-code/2.1.22/claude does not. The desktop app constructs a custom environment for the CLI subprocess, extracting only PATH (via [CCD]
Successfully extracted shell PATH via utility process — visible in main.log), and drops all other environment variables.
The Claude Code CLI uses Bun, which relies on NODE_EXTRA_CA_CERTS for custom CA certificates. Without it, all API calls fail:
Connection error details: code=UNABLE_TO_GET_ISSUER_CERT_LOCALLY (SSL error), message=unable to get local issuer certificate
What doesn't work
│ Approach │ Result │
│ export NODE_EXTRA_CA_CERTS=... in ~/.zshrc │ Not inherited — app only extracts PATH │
│ launchctl setenv NODE_EXTRA_CA_CERTS ... │ Present in Electron process but not forwarded to CLI child │
│ ~/.claude/settings.json with "env": {"NODE_EXTRA_CA_CERTS": "..."} │ Not applied to CLI process TLS context │
What Should Happen?
The desktop app should forward TLS-related environment variables (at minimum NODE_EXTRA_CA_CERTS, NODE_TLS_REJECT_UNAUTHORIZED, SSL_CERT_FILE,
SSL_CERT_DIR) from its own environment to the CLI subprocess. Alternatively, it should read them from ~/.claude/settings.json's env section and apply them
to the CLI process environment at spawn time.
Error Messages/Logs
Evidence from logs
~/Library/Logs/Claude/main.log:
[CCD] Successfully extracted shell PATH via utility process
Using Claude Code binary at: .../claude-code/2.1.22/claude
~/.claude/debug/<session>.txt:
[ERROR] Connection error details: code=UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[ERROR] 1P event logging: 28 events failed to export (code=UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
Process environment comparison:
# Electron parent (PID 4059) — has the variable:
NODE_EXTRA_CA_CERTS=/Users/.../zscaler-root-ca.crt
# CLI child (PID 4423) — does NOT have it
Steps to Reproduce
Steps to reproduce
- Be on a corporate network with Zscaler SSL inspection
- Set export NODE_EXTRA_CA_CERTS=$HOME/.ca-certificates/zscaler-root-ca.crt in ~/.zshrc
- Also set via launchctl setenv NODE_EXTRA_CA_CERTS ... for GUI apps
- Open Claude Desktop
- Chat tab works fine
- Cowork tab works fine (VM installs host CA certs via coworkd)
- Code tab hangs indefinitely — never connects
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
No response
Claude Code Version
Claude for Mac Claude 1.1.1520 (48ced7) 2026-01-30T03:29:40.000Z
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Current workaround
Rename the bundled CLI binary to claude.real and replace it with a wrapper script:
#!/bin/bash
export NODE_EXTRA_CA_CERTS="$HOME/.ca-certificates/zscaler-root-ca.crt"
exec "$(dirname "$0")/claude.real" "$@"
This breaks on every auto-update.
Preflight Checklist
What's Wrong?
Description:
The Code tab in Claude Desktop hangs and fails to connect when behind a corporate SSL-inspecting proxy (Zscaler). The Chat and Cowork tabs work correctly.
The root cause is that the desktop app does not forward the NODE_EXTRA_CA_CERTS environment variable to the Claude Code CLI subprocess it spawns.
Environment
Root cause
The Electron parent process does have NODE_EXTRA_CA_CERTS in its environment (confirmed via ps eww), but the CLI child process at ~/Library/Application
Support/Claude/claude-code/2.1.22/claude does not. The desktop app constructs a custom environment for the CLI subprocess, extracting only PATH (via [CCD]
Successfully extracted shell PATH via utility process — visible in main.log), and drops all other environment variables.
The Claude Code CLI uses Bun, which relies on NODE_EXTRA_CA_CERTS for custom CA certificates. Without it, all API calls fail:
Connection error details: code=UNABLE_TO_GET_ISSUER_CERT_LOCALLY (SSL error), message=unable to get local issuer certificate
What doesn't work
│ Approach │ Result │
│ export NODE_EXTRA_CA_CERTS=... in ~/.zshrc │ Not inherited — app only extracts PATH │
│ launchctl setenv NODE_EXTRA_CA_CERTS ... │ Present in Electron process but not forwarded to CLI child │
│ ~/.claude/settings.json with "env": {"NODE_EXTRA_CA_CERTS": "..."} │ Not applied to CLI process TLS context │
What Should Happen?
The desktop app should forward TLS-related environment variables (at minimum NODE_EXTRA_CA_CERTS, NODE_TLS_REJECT_UNAUTHORIZED, SSL_CERT_FILE,
SSL_CERT_DIR) from its own environment to the CLI subprocess. Alternatively, it should read them from ~/.claude/settings.json's env section and apply them
to the CLI process environment at spawn time.
Error Messages/Logs
Steps to Reproduce
Steps to reproduce
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
No response
Claude Code Version
Claude for Mac Claude 1.1.1520 (48ced7) 2026-01-30T03:29:40.000Z
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Current workaround
Rename the bundled CLI binary to claude.real and replace it with a wrapper script:
#!/bin/bash
export NODE_EXTRA_CA_CERTS="$HOME/.ca-certificates/zscaler-root-ca.crt"
exec "$(dirname "$0")/claude.real" "$@"
This breaks on every auto-update.