What happened?
Since the introduction of the "Lightweight Parent Process" optimization in v0.39.0 (PR #24667), the Gemini CLI no longer honors the NODE_EXTRA_CA_CERTS environment variable when it is defined inside the .gemini/.env file. This breaks connectivity to corporate MCP servers and APIs that rely on internal CA certificates.
Technical Root Cause:
Node.js initializes its internal SSL/TLS engine and reads NODE_EXTRA_CA_CERTS exactly once at the moment the process starts.
- The new Parent Process (packages/cli/index.ts) is designed to be lightweight and intentionally skips loading the .env file to save startup time.
- It then spawns the Child Process (the "heavy" app) passing the shell's current environment.
- The Child Process Node.js engine initializes its networking layer before any JS code runs.
- The Child's JS code eventually loads the .env file and updates process.env, but this update occurs too late for the Node.js networking engine (the C++ layer), which has
already completed its trust-store initialization.
Affected Code:
The regression is located in packages/cli/index.ts, where the environment is captured before .env processing:
1 // packages/cli/index.ts (Approx line 81)
2 const newEnv = { ...process.env, GEMINI_CLI_NO_RELAUNCH: 'true' };
3 const child = spawn(process.execPath, nodeArgs, {
4 stdio: ['inherit', 'inherit', 'inherit', 'ipc'],
5 env: newEnv,
6 });
Steps to Reproduce:
- Use Gemini CLI v0.39.0 or later.
- Add a valid CA certificate path to .gemini/.env: NODE_EXTRA_CA_CERTS=C:\path\to\cert.pem.
- Ensure NODE_EXTRA_CA_CERTS is not set in your OS or Shell environment.
- Run any command that connects to a server using that CA (e.g., gemini mcp list).
- Observed: The connection fails with TypeError: fetch failed.
- Verification: Setting the variable directly in the shell (export NODE_EXTRA_CA_CERTS=...) fixes the issue, proving the .env loading is the point of failure.
Environment:
- OS: Windows (win32)
- Node.js: v24.10.0
- Gemini CLI Version: v0.39.0 and later
What did you expect to happen?
Expected Behavior:
The Parent Process should minimally parse the .env file for "critical startup variables" like NODE_EXTRA_CA_CERTS before spawning the child, or the child should manually
re-initialize its global fetch dispatcher (e.g. undici.setGlobalDispatcher) if a CA is detected in .env.
Client information
CLI Version 0.39.1
Git Commit 4d73f34
Model Auto (Gemini 3)
Sandbox no sandbox
OS win32
Login information
Auth Method Signed in with Google (frederic_da_silva@---------------.com)
Tier Gemini Code Assist Enterprise
Anything else we need to know?
No response
What happened?
Since the introduction of the "Lightweight Parent Process" optimization in v0.39.0 (PR #24667), the Gemini CLI no longer honors the NODE_EXTRA_CA_CERTS environment variable when it is defined inside the .gemini/.env file. This breaks connectivity to corporate MCP servers and APIs that rely on internal CA certificates.
Technical Root Cause:
Node.js initializes its internal SSL/TLS engine and reads NODE_EXTRA_CA_CERTS exactly once at the moment the process starts.
already completed its trust-store initialization.
Affected Code:
The regression is located in packages/cli/index.ts, where the environment is captured before .env processing:
1 // packages/cli/index.ts (Approx line 81)
2 const newEnv = { ...process.env, GEMINI_CLI_NO_RELAUNCH: 'true' };
3 const child = spawn(process.execPath, nodeArgs, {
4 stdio: ['inherit', 'inherit', 'inherit', 'ipc'],
5 env: newEnv,
6 });
Steps to Reproduce:
Environment:
What did you expect to happen?
Expected Behavior:
The Parent Process should minimally parse the .env file for "critical startup variables" like NODE_EXTRA_CA_CERTS before spawning the child, or the child should manually
re-initialize its global fetch dispatcher (e.g. undici.setGlobalDispatcher) if a CA is detected in .env.
Client information
CLI Version 0.39.1
Git Commit 4d73f34
Model Auto (Gemini 3)
Sandbox no sandbox
OS win32
Login information
Auth Method Signed in with Google (frederic_da_silva@---------------.com)
Tier Gemini Code Assist Enterprise
Anything else we need to know?
No response