Fix Claude Code TLS/SSL Errors Behind Proxy

Q: Quick Fix

Set the NODE_EXTRA_CA_CERTS environment variable to point to your corporate CA certificate bundle: export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem claude If you do not have the certificate file, ask your IT team for the corporate CA bundle, or check your browser’s certificate settings.

Written by Michael Lip · Solo founder of Zovo · $400K+ on Upwork · 100% JSS Join 50+ builders · More at zovo.one

Last updated: April 15, 2026

The Error

When installing or running Claude Code behind a corporate proxy, you see one of these errors:

curl: (35) TLS connect error

unable to get local issuer certificate

schannel: next InitializeSecurityContext failed

Could not establish trust relationship for the SSL/TLS secure channel

Quick Fix

Set the NODE_EXTRA_CA_CERTS environment variable to point to your corporate CA certificate bundle:

export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem
claude

If you do not have the certificate file, ask your IT team for the corporate CA bundle, or check your browser’s certificate settings.

What’s Happening

Corporate proxies that perform TLS inspection replace the upstream server’s certificate with their own, signed by a corporate certificate authority. Your operating system and browser trust this CA because IT installed it in the system certificate store. However, Node.js (which Claude Code uses internally) maintains its own certificate store and does not automatically trust system-level certificates.

When Claude Code makes HTTPS requests to Anthropic’s API or to storage.googleapis.com during installation, the corporate proxy’s certificate appears untrusted because Node.js cannot verify the corporate CA that signed it. This breaks the TLS handshake.

The NODE_EXTRA_CA_CERTS environment variable tells Node.js to trust additional certificate authorities beyond its built-in bundle.

Step-by-Step Fix

Step 1: Identify the proxy certificate

Determine if you are behind a TLS-inspecting proxy. Check your proxy environment variables:

echo $HTTP_PROXY
echo $HTTPS_PROXY

If these are set, you are using a proxy. The TLS error confirms it is performing inspection.

Step 2: Get the corporate CA certificate

Ask your IT team for the corporate root CA certificate in PEM format. Common locations where it may already exist:

# macOS - export from Keychain
security find-certificate -a -p /Library/Keychains/System.keychain > /tmp/corp-ca.pem

# Linux - common locations
ls /etc/ssl/certs/
ls /usr/local/share/ca-certificates/

Step 3: Set NODE_EXTRA_CA_CERTS

Point the variable to your corporate CA certificate file:

export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem

Add this to your shell configuration for persistence:

# macOS
echo 'export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem' >> ~/.zshrc

# Linux
echo 'export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem' >> ~/.bashrc

Step 4: Set proxy environment variables

If not already set, configure proxy variables so Claude Code can route traffic through the proxy:

export HTTP_PROXY=http://proxy.example.com:8080
export HTTPS_PROXY=http://proxy.example.com:8080

Step 5: Configure proxy in Claude Code settings

For persistence across all sessions, add the environment variables to your Claude Code settings:

{
  "env": {
    "NODE_EXTRA_CA_CERTS": "/path/to/corporate-ca.pem",
    "HTTP_PROXY": "http://proxy.example.com:8080",
    "HTTPS_PROXY": "http://proxy.example.com:8080"
  }
}

Save this to ~/.claude/settings.json so it applies to every project.

Step 6: Fix installation-time TLS errors

If the error occurs during installation rather than runtime, set the variables before running the installer:

export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem
export HTTPS_PROXY=http://proxy.example.com:8080
curl -fsSL https://claude.ai/install.sh | bash

Alternatively, install via Homebrew or WinGet, which use system certificate stores:

brew install --cask claude-code

Step 7: Windows-specific TLS fixes

On Windows, enable TLS 1.2 in PowerShell before installing:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
irm https://claude.ai/install.ps1 | iex

If you see CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, your network blocks certificate revocation lookups. Use:

curl --ssl-revoke-best-effort -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd

Prevention

For teams behind corporate proxies, create a shared Claude Code settings file with the correct proxy and certificate configuration:

{
  "env": {
    "NODE_EXTRA_CA_CERTS": "/path/to/corporate-ca.pem",
    "HTTPS_PROXY": "http://proxy.example.com:8080"
  }
}

Distribute this as a managed settings file to standardize the configuration across all developers. On macOS, managed settings go in /Library/Application Support/ClaudeCode/managed-settings.json. On Linux, use /etc/claude-code/managed-settings.json.

Level Up Your Claude Code Workflow

The developers who get the most out of Claude Code aren’t just fixing errors — they’re running multi-agent pipelines, using battle-tested CLAUDE.md templates, and shipping with production-grade operating principles.

Get Claude Code Mastery — included in Zovo Lifetime →

16 CLAUDE.md templates · 80+ prompts · orchestration configs · workflow playbooks. $99 once, free forever.