Railway Certificate Issue on OpenAI Codex

mateicanavraPRO

4 days ago

Hey there!

Issue

I'm running into certificate issues while trying to run my railway project in OpenAI's Codex environment. Specifically:

+ railway whoami
Failed to fetch: error sending request for url (https://backboard.railway.com/graphql/v2)

Caused by:
    0: error sending request for url (https://backboard.railway.com/graphql/v2)
    1: client error (Connect)
    2: invalid peer certificate: UnknownIssuer

All of my commands are prefixed with railway run, and I don't have any authentication or connection issues. Looks like the only issue is with the UnknownIssuer.

Any clues as to where to investigate further? I played around with some manual CA cert setting, but that didn't lead anywhere.

---

Environment

Here's the universal image that Codex uses; seems like everything is standard:

https://github.com/openai/codex-universal

Diagnostic steps (used AI for this, not sure if this is helpful):

# 1. Does rustls look at a custom file?
echo "SSL_CERT_FILE=$SSL_CERT_FILE"

# 2. Does that file contain ISRG Root X1?
grep -A2 -B2 "ISRG Root X1" "${SSL_CERT_FILE:-/dev/null}" || echo "Not found"

# 3. Does curl succeed when told to use the system bundle?
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
curl -sSfI https://backboard.railway.com > /dev/null && echo "TLS OK"

Setup script

#!/usr/bin/env bash
set -euo pipefail

# 1. Does rustls look at a custom file?
echo "SSL_CERT_FILE=$SSL_CERT_FILE"

# 2. Does that file contain ISRG Root X1?
grep -A2 -B2 "ISRG Root X1" "${SSL_CERT_FILE:-/dev/null}" || echo "Not found"

# 3. Does curl succeed when told to use the system bundle?
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
curl -sSfI https://backboard.railway.com > /dev/null && echo "TLS OK"

# 4. Install Railway CLI
curl -fsSL cli.new | bash
export RAILWAY_API_TOKEN=*******************************
export RAILWAY_TOKEN=*******************************

# run whoami
railway whoami

Output

Configuring language runtimes...
+ rm -- /tmp/uLIdgc-setup_script.sh
+ set -euo pipefail
+ echo SSL_CERT_FILE=/usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt
SSL_CERT_FILE=/usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt
+ grep -A2 -B2 'ISRG Root X1' /usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt
+ echo 'Not found'
Not found
+ SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ curl -sSfI https://backboard.railway.com
+ echo 'TLS OK'
TLS OK
+ curl -fsSL cli.new
+ bash

>(B Installing railway, please wait…
                   .
         /^\     .
    /\   "V"
   /__\   I      O  o             
  //..\\  I     .                             Poof!
  \].`[/  I
  /l\/j\  (]    .  O
 /. ~~ ,\/I          .               Railway is now installed
 \\L__j^\/I       o               Run `railway help` for commands
  \/--v}  I     o   .
  |    |  I   _________                    
  |    |  I c(`       ')o            
  |    l  I   \.     ,/
_/j  L l\_!  _//^---^\\_ 

(B+ export RAILWAY_API_TOKEN=*******************************
+ RAILWAY_API_TOKEN=*******************************
+ export RAILWAY_TOKEN=*******************************
+ RAILWAY_TOKEN=*******************************
+ railway whoami
Failed to fetch: error sending request for url (https://backboard.railway.com/graphql/v2)

Caused by:
    0: error sending request for url (https://backboard.railway.com/graphql/v2)
    1: client error (Connect)
    2: invalid peer certificate: UnknownIssuer

$10 Bounty

0 Replies