Skip to content

fix(hook): trust the OS certificate store for TLS verification#18

Open
Baune8D wants to merge 1 commit into
langfuse:mainfrom
Baune8D:use-os-trust-store
Open

fix(hook): trust the OS certificate store for TLS verification#18
Baune8D wants to merge 1 commit into
langfuse:mainfrom
Baune8D:use-os-trust-store

Conversation

@Baune8D

@Baune8D Baune8D commented Jul 7, 2026

Copy link
Copy Markdown

Problem

Exporting traces to a self-hosted Langfuse behind a locally trusted CA (mkcert, internal/corporate CA) fails silently. Python trusts only the bundled certifi CAs — not the OS trust store where tools like mkcert -install register their root — so every OTLP export dies with CERTIFICATE_VERIFY_FAILED in the exporter's background thread. The hook still logs Processed N turns, so nothing hints at the failure; traces just never appear.

Environment-variable workarounds don't reach the hook either: Claude Code does not pass OTEL_* variables from settings.json env to subprocesses (documented here), and REQUESTS_CA_BUNDLE requires every user to maintain a combined CA bundle by hand.

Fix

Inject truststore — the library pip and uv use for exactly this — at script start, before any SSL context is created. TLS verification then delegates to the OS trust store (Keychain on macOS, CA store on Windows, OpenSSL dirs on Linux), so locally trusted CAs work with zero configuration.

  • Fail-open: if truststore is missing (e.g. the plain python3 fallback without the PEP 723 deps), the hook behaves exactly as today.
  • No behavior change for Langfuse Cloud users — public CAs are in every OS store.
  • truststore>=0.9 supports Python 3.10+, matching the script's requires-python.

Testing

Against a self-hosted instance at https://langfuse.localhost.dev with an mkcert certificate (macOS):

  • Fresh venv without truststore: requests.get(...)SSLError(CERTIFICATE_VERIFY_FAILED)
  • Same venv after truststore.inject_into_ssl(): 200, and the OTLP exporter reaches the server
  • Interpreter without truststore installed: import fails open, hook runs unchanged

Python only trusts the bundled certifi CAs, so exporting to a
self-hosted Langfuse behind a locally trusted CA (mkcert, corporate
proxy) fails with CERTIFICATE_VERIFY_FAILED — silently, since the OTLP
exporter runs in a background thread while the hook still logs
"Processed N turns".

Inject truststore (the same library pip and uv use for this) before any
SSL context is created, so verification delegates to the OS trust
store. Fails open when truststore is unavailable, preserving current
behavior.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@CLAassistant

CLAassistant commented Jul 7, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants