Skip to content

fix(agents-login): install ca-certificates so codex sign-in works (real root cause)#747

Merged
ExtraToast merged 1 commit into
mainfrom
fix/agents-login-ca-certificates
Jun 27, 2026
Merged

fix(agents-login): install ca-certificates so codex sign-in works (real root cause)#747
ExtraToast merged 1 commit into
mainfrom
fix/agents-login-ca-certificates

Conversation

@ExtraToast

Copy link
Copy Markdown
Owner

Actual root cause (proven live)

codex login --device-auth failed with "error sending request … auth.openai.com/.../deviceauth/usercode". The agents-login image (node:22-bookworm-slim) ships no ca-certificates (/etc/ssl/certs doesn't exist; dpkg shows un). The Codex CLI is a Rust binary that verifies TLS against the system root store — with no roots, every codex HTTPS handshake fails. Node and Claude work because they bundle their own CA roots, which is why this masqueraded as a codex-only "network" problem.

Proof: pointing codex at a real bundle (SSL_CERT_FILE= node's tls.rootCertificates) made codex login --device-auth reach the device-code + one-time-code step. It was never IPv6.

Fix

Validation

Needs the new image + redeploy. I'll verify on the live pod that /etc/ssl/certs/ca-certificates.crt exists and codex login --device-auth reaches the user-code step without any SSL_CERT_FILE override.

🤖 Generated with Claude Code

…; revert IPv6 churn

ACTUAL root cause of "codex login ... error sending request": the agents-login
image (bookworm-slim) ships NO ca-certificates, and the Codex CLI is a Rust
binary that verifies TLS against the SYSTEM root store. With /etc/ssl/certs
absent, EVERY codex HTTPS handshake fails — including device-auth to
auth.openai.com. Node and Claude work because they bundle their own roots, which
is why this looked like a codex-only "network" error.

Proven live: pointing codex at a real CA bundle (SSL_CERT_FILE=node's roots) made
`codex login --device-auth` reach the user-code step. It was never IPv6.

- Install ca-certificates in the runtime image (provides
  /etc/ssl/certs/ca-certificates.crt that codex's system-roots TLS uses).
- Revert the misguided IPv6 mitigations that targeted the wrong cause: the
  gai.conf (#742) and /etc/hosts init container (#745) were already gone; this
  removes the CoreDNS AAAA-stripping sidecar + dnsConfig (#746), restoring the
  worker pod's default DNS.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ExtraToast ExtraToast merged commit af586e8 into main Jun 27, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant