5 months ago
Hey there!
Issue
I'm running into certificate issues while trying to run my railway project in OpenAI's Codex environment. Specifically:
+ railway whoami
Failed to fetch: error sending request for url (https://backboard.railway.com/graphql/v2)
Caused by:
0: error sending request for url (https://backboard.railway.com/graphql/v2)
1: client error (Connect)
2: invalid peer certificate: UnknownIssuerAll of my commands are prefixed with railway run, and I don't have any authentication or connection issues. Looks like the only issue is with the UnknownIssuer.
Any clues as to where to investigate further? I played around with some manual CA cert setting, but that didn't lead anywhere.
---
Environment
Here's the universal image that Codex uses; seems like everything is standard:
https://github.com/openai/codex-universal
Diagnostic steps (used AI for this, not sure if this is helpful):
# 1. Does rustls look at a custom file?
echo "SSL_CERT_FILE=$SSL_CERT_FILE"
# 2. Does that file contain ISRG Root X1?
grep -A2 -B2 "ISRG Root X1" "${SSL_CERT_FILE:-/dev/null}" || echo "Not found"
# 3. Does curl succeed when told to use the system bundle?
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
curl -sSfI https://backboard.railway.com > /dev/null && echo "TLS OK"Setup script
#!/usr/bin/env bash
set -euo pipefail
# 1. Does rustls look at a custom file?
echo "SSL_CERT_FILE=$SSL_CERT_FILE"
# 2. Does that file contain ISRG Root X1?
grep -A2 -B2 "ISRG Root X1" "${SSL_CERT_FILE:-/dev/null}" || echo "Not found"
# 3. Does curl succeed when told to use the system bundle?
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
curl -sSfI https://backboard.railway.com > /dev/null && echo "TLS OK"
# 4. Install Railway CLI
curl -fsSL cli.new | bash
export RAILWAY_API_TOKEN=*******************************
export RAILWAY_TOKEN=*******************************
# run whoami
railway whoamiOutput
Configuring language runtimes...
+ rm -- /tmp/uLIdgc-setup_script.sh
+ set -euo pipefail
+ echo SSL_CERT_FILE=/usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt
SSL_CERT_FILE=/usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt
+ grep -A2 -B2 'ISRG Root X1' /usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt
+ echo 'Not found'
Not found
+ SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ curl -sSfI https://backboard.railway.com
+ echo 'TLS OK'
TLS OK
+ curl -fsSL cli.new
+ bash
>(B Installing railway, please wait…
.
/^\ .
/\ "V"
/__\ I O o
//..\\ I . Poof!
\].`[/ I
/l\/j\ (] . O
/. ~~ ,\/I . Railway is now installed
\\L__j^\/I o Run `railway help` for commands
\/--v} I o .
| | I _________
| | I c(` ')o
| l I \. ,/
_/j L l\_! _//^---^\\_
(B+ export RAILWAY_API_TOKEN=*******************************
+ RAILWAY_API_TOKEN=*******************************
+ export RAILWAY_TOKEN=*******************************
+ RAILWAY_TOKEN=*******************************
+ railway whoami
Failed to fetch: error sending request for url (https://backboard.railway.com/graphql/v2)
Caused by:
0: error sending request for url (https://backboard.railway.com/graphql/v2)
1: client error (Connect)
2: invalid peer certificate: UnknownIssuer2 Replies
5 months ago
Hey there!
The most probable cause is that the Railway CLI can't communicate with the API through Codex network proxy that is used for internet access during setup phase: https://platform.openai.com/docs/codex#internet-access-and-network-proxy
Curl has the capabilities of picking up the environment variables configured by OpenAI (as stated in the documentation) but not the Railway CLI.
The fix would be to add some way of passing down the proxy config to reqwest (the http client used in Railway CLI) https://docs.rs/reqwest/latest/reqwest/struct.Proxy.html
This could be a feature request to send to the CLI team
Hope this will help!
5 months ago
Wow, I didn't think this would get an answer. Great detective work, that sounds like the best path to me... I'll put in a feature request!
Status changed to Solved chandrika • 5 months ago