Honor startup custom CA bundles with managed MITM#29014
Merged
Conversation
This was referenced Jun 19, 2026
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f5294d02bb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
winston-openai
added a commit
that referenced
this pull request
Jun 19, 2026
winston-openai
added a commit
that referenced
this pull request
Jun 19, 2026
viyatb-oai
reviewed
Jun 19, 2026
viyatb-oai
left a comment
Collaborator
There was a problem hiding this comment.
One question about completing the custom-CA path.
7d6e893 to
0b16e22
Compare
viyatb-oai
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
When Codex starts with a custom CA override such as
SSL_CERT_FILE=/path/to/corp-ca.pem codex,rustls-native-certstreats that override as a replacement for the platform trust store. The managed proxy then rewrites child CA variables to its generated bundle, so the custom root or the ordinary platform roots can be lost. The proxy's upstream TLS connector must trust the same roots or private and corporate upstream certificates still fail after interception.What
SSL_CERT_DIRTRUSTED CERTIFICATEblocks while dropping trailing trust metadataThis is intentionally limited to CA paths present when Codex starts. It does not parse inline shell assignments or add per-command bundle materialization.
This changes only
codex-network-proxyand dependency metadata; it does not touchcodex-coreor sandbox orchestration.Validation
just test -p codex-network-proxyjust fix -p codex-network-proxyjust bazel-lock-check