fix(hook): trust the OS certificate store for TLS verification#18
Open
Baune8D wants to merge 1 commit into
Open
fix(hook): trust the OS certificate store for TLS verification#18Baune8D wants to merge 1 commit into
Baune8D wants to merge 1 commit into
Conversation
Python only trusts the bundled certifi CAs, so exporting to a self-hosted Langfuse behind a locally trusted CA (mkcert, corporate proxy) fails with CERTIFICATE_VERIFY_FAILED — silently, since the OTLP exporter runs in a background thread while the hook still logs "Processed N turns". Inject truststore (the same library pip and uv use for this) before any SSL context is created, so verification delegates to the OS trust store. Fails open when truststore is unavailable, preserving current behavior. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Exporting traces to a self-hosted Langfuse behind a locally trusted CA (mkcert, internal/corporate CA) fails silently. Python trusts only the bundled certifi CAs — not the OS trust store where tools like
mkcert -installregister their root — so every OTLP export dies withCERTIFICATE_VERIFY_FAILEDin the exporter's background thread. The hook still logsProcessed N turns, so nothing hints at the failure; traces just never appear.Environment-variable workarounds don't reach the hook either: Claude Code does not pass
OTEL_*variables fromsettings.jsonenvto subprocesses (documented here), andREQUESTS_CA_BUNDLErequires every user to maintain a combined CA bundle by hand.Fix
Inject truststore — the library pip and uv use for exactly this — at script start, before any SSL context is created. TLS verification then delegates to the OS trust store (Keychain on macOS, CA store on Windows, OpenSSL dirs on Linux), so locally trusted CAs work with zero configuration.
python3fallback without the PEP 723 deps), the hook behaves exactly as today.truststore>=0.9supports Python 3.10+, matching the script'srequires-python.Testing
Against a self-hosted instance at
https://langfuse.localhost.devwith an mkcert certificate (macOS):requests.get(...)→SSLError(CERTIFICATE_VERIFY_FAILED)truststore.inject_into_ssl():200, and the OTLP exporter reaches the server