fix(agents-login): install ca-certificates so codex sign-in works (real root cause)#747
Merged
Merged
Conversation
…; revert IPv6 churn ACTUAL root cause of "codex login ... error sending request": the agents-login image (bookworm-slim) ships NO ca-certificates, and the Codex CLI is a Rust binary that verifies TLS against the SYSTEM root store. With /etc/ssl/certs absent, EVERY codex HTTPS handshake fails — including device-auth to auth.openai.com. Node and Claude work because they bundle their own roots, which is why this looked like a codex-only "network" error. Proven live: pointing codex at a real CA bundle (SSL_CERT_FILE=node's roots) made `codex login --device-auth` reach the user-code step. It was never IPv6. - Install ca-certificates in the runtime image (provides /etc/ssl/certs/ca-certificates.crt that codex's system-roots TLS uses). - Revert the misguided IPv6 mitigations that targeted the wrong cause: the gai.conf (#742) and /etc/hosts init container (#745) were already gone; this removes the CoreDNS AAAA-stripping sidecar + dnsConfig (#746), restoring the worker pod's default DNS. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Actual root cause (proven live)
codex login --device-authfailed with "error sending request … auth.openai.com/.../deviceauth/usercode". The agents-login image (node:22-bookworm-slim) ships noca-certificates(/etc/ssl/certsdoesn't exist;dpkgshowsun). The Codex CLI is a Rust binary that verifies TLS against the system root store — with no roots, every codex HTTPS handshake fails. Node and Claude work because they bundle their own CA roots, which is why this masqueraded as a codex-only "network" problem.Proof: pointing codex at a real bundle (
SSL_CERT_FILE=node'stls.rootCertificates) madecodex login --device-authreach the device-code + one-time-code step. It was never IPv6.Fix
ca-certificatesin the runtime image →/etc/ssl/certs/ca-certificates.crtexists, codex's system-roots TLS works.dnsConfig(fix(agents-login): strip AAAA via CoreDNS sidecar so codex sign-in uses IPv4 #746), restoring the pod's default DNS. (gai.conf fix(agents-login): prefer IPv4 so codex login can reach auth.openai.com #742 and the /etc/hosts init container fix(agents-login): pin OpenAI auth host to IPv4 so codex sign-in works (musl + broken IPv6) #745 were already superseded.)Validation
Needs the new image + redeploy. I'll verify on the live pod that
/etc/ssl/certs/ca-certificates.crtexists andcodex login --device-authreaches the user-code step without any SSL_CERT_FILE override.🤖 Generated with Claude Code