fix(install): retry npm install with --strict-ssl=false on TLS verification failure (Windows) (#48117)#48416
Open
brokemac79 wants to merge 3 commits intoopenclaw:mainfrom
Open
fix(install): retry npm install with --strict-ssl=false on TLS verification failure (Windows) (#48117)#48416brokemac79 wants to merge 3 commits intoopenclaw:mainfrom
brokemac79 wants to merge 3 commits intoopenclaw:mainfrom
Conversation
…cation failure (Windows) (openclaw#48117) On Windows, npm install can fail with UNABLE_TO_VERIFY_LEAF_SIGNATURE or similar TLS errors when corporate proxies or outdated root CAs intercept HTTPS traffic. Root cause: npm's default strict SSL verification rejects certificates from intercepting proxies or systems with incomplete CA bundles, which is especially common on Windows enterprise environments. Fix: Keep strict SSL as the default (safe behavior). If the first npm install attempt fails with a TLS-related error message, automatically retry with --strict-ssl=false and display a clear warning explaining: - What went wrong - That SSL verification is disabled for this install only - How to permanently fix the underlying CA issue This avoids disabling SSL globally while still allowing installation on affected Windows machines, with full transparency to the user. Testing: Logic verified by code inspection. No automated tests for PowerShell installer (Windows-only path). ## AI disclosure Fix implemented with Claude claude-sonnet-4-6. Logic reviewed and understood by the agent; approach matches the pattern described in issue openclaw#48117.
Contributor
Author
|
@codex review |
Contributor
Greptile SummaryThis PR adds a TLS-error fallback to the Windows npm installer: if the first Key points:
Confidence Score: 3/5
Prompt To Fix All With AIThis is a comment left during a code review.
Path: scripts/install.ps1
Line: 224-247
Comment:
**Automatic SSL bypass without user confirmation**
When TLS verification fails, this code automatically retries with `--strict-ssl=false` without asking the user. A TLS verification failure is also exactly what would happen during an active MITM attack — meaning an attacker who intercepts the connection could deliberately trigger this code path, causing the installer to silently download and run a malicious package with SSL disabled.
The warning messages are printed, but the retry happens unconditionally. A user confirmation prompt before the retry would significantly reduce this risk:
```powershell
if ($tlsError) {
Write-Host "" -Level info
Write-Host "TLS certificate verification failed during npm install." -Level warn
Write-Host "This is common on Windows when a corporate proxy or outdated root CA" -Level warn
Write-Host "intercepts HTTPS traffic." -Level warn
Write-Host "" -Level info
Write-Host "NOTE: --strict-ssl=false disables SSL certificate verification and can" -Level warn
Write-Host "expose you to MITM attacks. Only proceed if you trust your network." -Level warn
Write-Host "" -Level info
$response = Read-Host "Retry with --strict-ssl=false? [y/N]"
if ($response -notmatch '^[Yy]$') {
Write-Host "Aborted. To fix, update your root CA certificates or set:" -Level info
Write-Host " npm config set cafile <path-to-your-ca-bundle.pem>" -Level info
return $false
}
$retryOutput = npm install -g $installSpec --no-fund --no-audit --strict-ssl=false 2>&1
...
```
Without a confirmation gate, the TLS-bypass path is effectively a denial-of-security rather than a recovery mechanism.
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: scripts/install.ps1
Line: 246-250
Comment:
**Error output joined with spaces, hard to read**
Both error paths join multi-line npm output with a single space, which collapses stack traces and error messages into a single unreadable line. Joining with newlines preserves the original formatting and makes errors much easier to diagnose.
```suggestion
Write-Host "npm install failed even with --strict-ssl=false:`n$($retryOutput -join "`n")" -Level error
return $false
}
Write-Host "npm install failed:`n$($output -join "`n")" -Level error
```
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: ae9b363 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ae9b363ba7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…r output formatting - Add interactive Read-Host prompt before retrying npm install with --strict-ssl=false to prevent automatic silent SSL bypass (security risk) - Fix error output joining from -join ' ' to -join "`n" so multi-line npm error messages are rendered readably - Update warning message to remove 'Retrying...' text that implied automatic retry
Contributor
Author
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 27224b6d61
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…non-interactive mode CODEX P2 openclaw#1: Wrap npm install calls in try/catch so CommandNotFoundException (npm missing from PATH on a partial Node install) returns false cleanly instead of throwing a terminating error and aborting the script. CODEX P2 openclaw#2: Gate the TLS-fallback Read-Host prompt behind an interactivity check ([Environment]::UserInteractive + Console.IsInputRedirected). In CI or -NonInteractive contexts the prompt is skipped and the function returns false with actionable guidance, preventing a hang or terminating error in exactly the enterprise-proxy environments this fix targets.
Contributor
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. 🚀 ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #48117 — Windows install script fails with
UNABLE_TO_VERIFY_LEAF_SIGNATUREwhen runningiwr -useb https://openclaw.ai/install.ps1 | iex.Root Cause
On Windows, npm's default strict SSL verification rejects certificates from intercepting corporate proxies or systems with incomplete/outdated root CA bundles. This throws errors like:
UNABLE_TO_VERIFY_LEAF_SIGNATURECERT_UNTRUSTEDSELF_SIGNED_CERTunable to verify the first certificateThis is especially common in enterprise Windows environments.
What the Fix Does
npm installfails with a TLS-related error, the script detects the specific error pattern and retries automatically with--strict-ssl=false--strict-ssl=falseis being used for this install onlynpm config set cafile)This approach avoids silently disabling SSL globally while still allowing installation on affected Windows machines, with full transparency.
Changes
scripts/install.ps1: ModifiedInstall-OpenClawNpmto capture exit code and output from the first npm install attempt, detect TLS error patterns, and retry with--strict-ssl=falseif detected.Testing
Logic verified by code inspection. This is a Windows-only PowerShell path; no automated tests exist for the installer. The TLS detection regex covers the known error strings reported in #48117 and related issues.
AI Disclosure
Fix implemented with Claude claude-sonnet-4-6. Approach reviewed and understood; matches the pattern requested in issue #48117.