Environment

• OS: Linux (Ubuntu 24.04 LTS)
• Node.js: v22.22.0 (installed via nvm, NOT system package manager)
• OpenClaw: v2026.3.13

Bug
The web_fetch tool always returns { "status": "error", "error": "fetch failed" } on any modern HTTPS site. curl works fine on the same URLs.

Root Cause
Node.js installed via nvm uses a bundled CA certificate store that is missing modern root CAs (ISRG Root X1/X2 for Let's Encrypt, DigiCert Global Root G2, etc). Node's built-in fetch() (undici) uses this bundled store — not the system OpenSSL store — so TLS verification fails for the majority of real-world HTTPS sites.

This is a known nvm limitation: https://docs.nextstrain.org/en/latest/reference/ca-certificates.html

Workaround (confirmed working)

echo "NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt" > ~/.openclaw/.env

Restart the gateway after applying. web_fetch immediately starts working.

Proposed Fix
During openclaw gateway install on Linux, detect if Node.js was installed via nvm and if so, automatically write NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt to ~/.openclaw/.env (if not already set). This is the documented OpenClaw env var loading path per the docs at https://docs.openclaw.ai/help/environment.

Alternatively (or additionally), document this in the FAQ/environment docs with a note for VPS/nvm users.

References

• OpenClaw env loading docs: https://docs.openclaw.ai/help/environment
• Node.js nvm CA cert issue (well known): https://docs.nextstrain.org/en/latest/reference/ca-certificates.html
• NODE_EXTRA_CA_CERTS Node.js docs: https://nodejs.org/api/cli.html#node_extra_ca_certsfile