[Bug] web_fetch fails silently on Linux/VPS when Node.js installed via nvm (TLS cert bundle missing ISRG/DigiCert roots)

[GodsBoy]

Environment

• OS: Linux (Ubuntu 24.04 LTS)
• Node.js: v22.22.0 (installed via nvm, NOT system package manager)
• OpenClaw: v2026.3.13

Bug
The web_fetch tool always returns { "status": "error", "error": "fetch failed" } on any modern HTTPS site. curl works fine on the same URLs.

Root Cause
Node.js installed via nvm uses a bundled CA certificate store that is missing modern root CAs (ISRG Root X1/X2 for Let's Encrypt, DigiCert Global Root G2, etc). Node's built-in fetch() (undici) uses this bundled store — not the system OpenSSL store — so TLS verification fails for the majority of real-world HTTPS sites.

This is a known nvm limitation: https://docs.nextstrain.org/en/latest/reference/ca-certificates.html

Workaround (confirmed working)

echo "NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt" > ~/.openclaw/.env

Restart the gateway after applying. web_fetch immediately starts working.

Proposed Fix
During openclaw gateway install on Linux, detect if Node.js was installed via nvm and if so, automatically write NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to ~/.openclaw/.env (if not already set). This is the documented OpenClaw env var loading path per the docs at https://docs.openclaw.ai/help/environment.

Alternatively (or additionally), document this in the FAQ/environment docs with a note for VPS/nvm users.

References

• OpenClaw env loading docs: https://docs.openclaw.ai/help/environment
• Node.js nvm CA cert issue (well known): https://docs.nextstrain.org/en/latest/reference/ca-certificates.html
• NODE_EXTRA_CA_CERTS Node.js docs: https://nodejs.org/api/cli.html#node_extra_ca_certsfile

[Ryce]

Clean install-state drift: openclaw gateway install sets up a working system, but the Node.js installation method (nvm vs system package) silently changes TLS behavior. The install script assumes Node.js uses the system CA bundle — it doesn't verify this assumption. nvm's Node uses its own bundled certs that are missing modern roots (ISRG X1/X2, DigiCert Global G2).

Two sources of truth for 'is TLS working?':

1. Install script: assumes Node.js uses system certs → marks install as successful
2. Runtime: nvm Node uses bundled certs → most HTTPS sites fail with fetch failed

The proposed fix (detect nvm, write NODE_EXTRA_CA_CERTS) is correct. But the deeper issue: the install process doesn't verify its assumptions. A post-install health check that actually fetches a known HTTPS endpoint and compares expected vs actual TLS behavior would catch this class of drift immediately.

Same pattern across the ecosystem: config says one thing, runtime does another, failure is silent until user-facing tool breaks. Keepmyclaw's thesis: snapshot the resolved state (what certs are actually loaded, what Node.js binary is actually running) and compare against configured intent. Without that, nvm vs system-package drift is invisible.

[Hollychou924]

Analysis: web_fetch TLS failure on nvm-installed Node.js (VPS/Linux)

Root cause confirmed: nvm-installed Node.js bundles its own CA cert store (compiled at build time), which does not include ISRG Root X1/X2 (Let's Encrypt) or DigiCert Global Root G2 — the roots used by the majority of modern HTTPS sites. Node's built-in fetch() (undici) uses this bundled store, not the system OpenSSL store, so TLS verification fails silently.

Why curl works but web_fetch doesn't: curl uses libssl, which reads the system cert bundle (/etc/ssl/certs/ca-certificates.crt). Node/undici bypasses this entirely.

Workaround (confirmed working per reporter):

echo "NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt" >> ~/.openclaw/.env
# Then restart gateway
openclaw gateway restart

Proposed platform fix:

Option A (detection at gateway start): On Linux startup, detect nvm by checking NVM_DIR env var or if node binary path contains .nvm. If detected, check if NODE_EXTRA_CA_CERTS is already set — if not, auto-inject /etc/ssl/certs/ca-certificates.crt (verify file exists first). Log a notice: [gateway] nvm Node.js detected — injecting system CA bundle for TLS compatibility.

Option B (docs-only): Add to the Linux/VPS setup guide and FAQ a dedicated section:

If you installed Node.js via nvm and web_fetch fails with TLS errors, add NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to ~/.openclaw/.env

Option A is better UX — the failure is completely opaque to users ("fetch failed" with no TLS detail) and affects the majority of VPS users who follow nvm-based Node.js installation guides.

Detection snippet for Option A:

// At gateway startup (Linux only)
if (process.platform === 'linux' && process.env.NVM_DIR && !process.env.NODE_EXTRA_CA_CERTS) {
  const sysCerts = '/etc/ssl/certs/ca-certificates.crt';
  if (fs.existsSync(sysCerts)) {
    process.env.NODE_EXTRA_CA_CERTS = sysCerts;
    log.info('[gateway] nvm Node.js detected — injecting system CA bundle');
  }
}```

[GodsBoy]

Thanks @Hollychou924 — excellent analysis, matches exactly what we found.

PR #49091 already implements Option A. It detects nvm via NVM_DIR env var or process.execPath containing /.nvm/, then auto-sets NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt — both at gateway startup and written to ~/.openclaw/.env during openclaw gateway install so non-systemd installs are also covered.

Should address the majority of VPS users hitting this silently.

[GodsBoy]

Same root cause confirmed — nvm bundles its own OpenSSL CA store and bypasses the system certificate bundle entirely.

PR #49091 automates this: it detects nvm at gateway startup, resolves the system CA bundle path, and writes NODE_EXTRA_CA_CERTS to ~/.openclaw/.env so it persists across restarts. Also covers non-systemd installs where the env file is the only injection point.

Good call on documenting UNABLE_TO_VERIFY_LEAF_SIGNATURE as a diagnostic hint — that silent timeout variant is especially tricky to debug.

[steipete]

Maintainer triage: duplicate sweep did not find a true duplicate issue for this exact Linux + nvm + web_fetch TLS failure.

Related but not duplicates:

• Bug Report: Cascading deployment failures on Linux + NVM + PM2 environment #26252 broader Linux + nvm + PM2 deployment drift
• [Bug]: [Bug]: macOS LaunchAgent Telegram fails - Node.js TLS can't find CA certs #22856 macOS LaunchAgent TLS env propagation
• [Bug]: npm error code UNABLE_TO_VERIFT_LEAF_SIGNATURE #48117 Windows installer TLS verification failure
• [Bug]: Installer script does not respect nvm Node version (detects system Node instead) #49556 installer nvm detection on macOS

PR history:

• fix(install): auto-write NODE_EXTRA_CA_CERTS to .env on nvm Node.js installs (Linux) #49091 was the first PR for this, but it was closed dirty/conflicting
• fix(install): auto-write NODE_EXTRA_CA_CERTS to .env on nvm Node.js installs (Linux) #51146 is the clean successor and should be treated as the active PR for [Bug] web_fetch fails silently on Linux/VPS when Node.js installed via nvm (TLS cert bundle missing ISRG/DigiCert roots) #49088