Skip to content

Fix NODE_EXTRA_CA_CERTS missing from LaunchAgent environment on macOS#22929

Closed
Clawborn wants to merge 1 commit intoopenclaw:mainfrom
Clawborn:fix/launchagent-node-extra-ca-certs
Closed

Fix NODE_EXTRA_CA_CERTS missing from LaunchAgent environment on macOS#22929
Clawborn wants to merge 1 commit intoopenclaw:mainfrom
Clawborn:fix/launchagent-node-extra-ca-certs

Conversation

@Clawborn
Copy link
Copy Markdown
Contributor

@Clawborn Clawborn commented Feb 21, 2026
edited by greptile-apps bot
Loading

Problem

When OpenClaw runs as a macOS LaunchAgent (installed via openclaw gateway install), Node's undici/fetch cannot locate the system CA bundle because launchd does not inherit the shell environment. This causes TLS verification failures for all HTTPS connections (Telegram, webhooks, etc.), while the same gateway works fine in a foreground terminal session.

Root cause: buildServiceEnvironment and buildNodeServiceEnvironment in service-env.ts did not include NODE_EXTRA_CA_CERTS in the generated plist environment.

Fixes #22856.

Fix

Set NODE_EXTRA_CA_CERTS to /etc/ssl/cert.pem (the macOS system CA bundle) by default when building the service environment on macOS. A user-supplied NODE_EXTRA_CA_CERTS in the host environment always takes precedence.

The same default is applied to both buildServiceEnvironment (gateway) and buildNodeServiceEnvironment (node service) since both run under launchd on macOS.

Changes

  • src/daemon/service-env.ts: add NODE_EXTRA_CA_CERTS to the service environment on macOS, falling back to /etc/ssl/cert.pem when not set by the user
  • src/daemon/service-env.test.ts: add 4 tests covering the default and user-override cases for both environment builders

Greptile Summary

Fixes TLS verification failures for HTTPS connections when OpenClaw runs as a macOS LaunchAgent by setting NODE_EXTRA_CA_CERTS to the macOS system CA bundle path (/etc/ssl/cert.pem). The issue occurs because launchd services don't inherit the shell environment, preventing Node's undici/fetch from locating system certificates.

  • Adds NODE_EXTRA_CA_CERTS environment variable to both buildServiceEnvironment and buildNodeServiceEnvironment functions
  • Defaults to /etc/ssl/cert.pem on macOS (Darwin platform only)
  • Respects user-provided NODE_EXTRA_CA_CERTS values as overrides
  • Includes comprehensive test coverage for both default behavior and user override scenarios

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The implementation is clean, well-tested, and narrowly scoped. It adds a single environment variable that only affects macOS LaunchAgent environments, uses the correct system CA bundle path, properly respects user overrides, and includes comprehensive test coverage for all scenarios. The fix directly addresses a documented issue without introducing any breaking changes or side effects.
  • No files require special attention

Last reviewed commit: 35c5a8e

Fix NODE_EXTRA_CA_CERTS missing from LaunchAgent environment on macOS
35c5a8e 
launchd services do not inherit the shell environment, so Node's undici/fetch
cannot locate the macOS system CA bundle (/etc/ssl/cert.pem). This causes TLS
verification failures for all HTTPS requests (e.g. Telegram, webhooks) when the
gateway runs as a LaunchAgent, while the same gateway works fine in a terminal.

Add NODE_EXTRA_CA_CERTS defaulting to /etc/ssl/cert.pem on macOS in both
buildServiceEnvironment and buildNodeServiceEnvironment. User-supplied
NODE_EXTRA_CA_CERTS is always respected and takes precedence.

Fixes openclaw#22856

Co-authored-by: Clawborn <[email protected]>
@Lukavyi Lukavyi mentioned this pull request Feb 26, 2026
Closed
@Lukavyi
Copy link
Copy Markdown
Contributor

Lukavyi commented Feb 26, 2026

@steipete This fix is needed — the missing NODE_EXTRA_CA_CERTS in the LaunchAgent plist has broken my daemon startup multiple times during upgrades. Each time I update OpenClaw, the plist gets regenerated without it, Slack crashes the gateway with TLS errors, and I have to manually patch the plist to get the daemon running again.

The PR is approved and the approach is solid (default to /etc/ssl/cert.pem on macOS, respect user override). Just has merge conflicts that need resolving. Would be great to get this landed.

@Lukavyi Lukavyi mentioned this pull request Feb 26, 2026
Merged
@Lukavyi
Copy link
Copy Markdown
Contributor

Lukavyi commented Feb 26, 2026

Rebased this with conflicts resolved and opened #27915. The only conflicts were with the proxy env passthrough from #27276 — both proxy vars and NODE_EXTRA_CA_CERTS now coexist. Build passes.

@steipete either PR works — whichever is easier to land.

@obviyus
Copy link
Copy Markdown
Contributor

obviyus commented Feb 27, 2026

Thanks for the PR. Superseded by #27915.

@obviyus obviyus closed this Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gateway Gateway runtime size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: [Bug]: macOS LaunchAgent Telegram fails - Node.js TLS can't find CA certs

3 participants

@Clawborn @Lukavyi @obviyus