Issue Station
Sign In
Tools hereToolbox

gemini-cli - 💡(How to fix) Fix Regression: NODE_EXTRA_CA_CERTS in .gemini/.env is ignored since v0.39.0 (PR #24667) [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
google-gemini/gemini-cli#25987Fetched 2026-04-26 05:24:14
View on GitHub
Comments
0
Participants
1
Timeline
1
Reactions
0
Author
fredericdasilvafredericdasilva
Participants
fredericdasilvafredericdasilva
Timeline (top)
labeled ×1

Root Cause

Technical Root Cause: Node.js initializes its internal SSL/TLS engine and reads NODE_EXTRA_CA_CERTS exactly once at the moment the process starts.

  1. The new Parent Process (packages/cli/index.ts) is designed to be lightweight and intentionally skips loading the .env file to save startup time.
  2. It then spawns the Child Process (the "heavy" app) passing the shell's current environment.
  3. The Child Process Node.js engine initializes its networking layer before any JS code runs.
  4. The Child's JS code eventually loads the .env file and updates process.env, but this update occurs too late for the Node.js networking engine (the C++ layer), which has already completed its trust-store initialization.

Fix Action

Fix / Workaround

Expected Behavior: The Parent Process should minimally parse the .env file for "critical startup variables" like NODE_EXTRA_CA_CERTS before spawning the child, or the child should manually re-initialize its global fetch dispatcher (e.g. undici.setGlobalDispatcher) if a CA is detected in .env.

RAW_BUFFERClick to expand / collapse

What happened?

Since the introduction of the "Lightweight Parent Process" optimization in v0.39.0 (PR #24667), the Gemini CLI no longer honors the NODE_EXTRA_CA_CERTS environment variable when it is defined inside the .gemini/.env file. This breaks connectivity to corporate MCP servers and APIs that rely on internal CA certificates.

Technical Root Cause: Node.js initializes its internal SSL/TLS engine and reads NODE_EXTRA_CA_CERTS exactly once at the moment the process starts.

  1. The new Parent Process (packages/cli/index.ts) is designed to be lightweight and intentionally skips loading the .env file to save startup time.
  2. It then spawns the Child Process (the "heavy" app) passing the shell's current environment.
  3. The Child Process Node.js engine initializes its networking layer before any JS code runs.
  4. The Child's JS code eventually loads the .env file and updates process.env, but this update occurs too late for the Node.js networking engine (the C++ layer), which has already completed its trust-store initialization.

Affected Code: The regression is located in packages/cli/index.ts, where the environment is captured before .env processing:

1 // packages/cli/index.ts (Approx line 81) 2 const newEnv = { ...process.env, GEMINI_CLI_NO_RELAUNCH: 'true' }; 3 const child = spawn(process.execPath, nodeArgs, { 4 stdio: ['inherit', 'inherit', 'inherit', 'ipc'], 5 env: newEnv, 6 });

Steps to Reproduce:

  1. Use Gemini CLI v0.39.0 or later.
  2. Add a valid CA certificate path to .gemini/.env: NODE_EXTRA_CA_CERTS=C:\path\to\cert.pem.
  3. Ensure NODE_EXTRA_CA_CERTS is not set in your OS or Shell environment.
  4. Run any command that connects to a server using that CA (e.g., gemini mcp list).
  5. Observed: The connection fails with TypeError: fetch failed.
  6. Verification: Setting the variable directly in the shell (export NODE_EXTRA_CA_CERTS=...) fixes the issue, proving the .env loading is the point of failure.

Environment:

  • OS: Windows (win32)
  • Node.js: v24.10.0
  • Gemini CLI Version: v0.39.0 and later

What did you expect to happen?

Expected Behavior: The Parent Process should minimally parse the .env file for "critical startup variables" like NODE_EXTRA_CA_CERTS before spawning the child, or the child should manually re-initialize its global fetch dispatcher (e.g. undici.setGlobalDispatcher) if a CA is detected in .env.

Client information

CLI Version 0.39.1 Git Commit 4d73f3413 Model Auto (Gemini 3) Sandbox no sandbox OS win32

Login information

Auth Method Signed in with Google ([email protected]) Tier Gemini Code Assist Enterprise

Anything else we need to know?

No response

extent analysis

TL;DR

The Gemini CLI fails to honor the NODE_EXTRA_CA_CERTS environment variable when defined in the .gemini/.env file due to the new Lightweight Parent Process optimization, which skips loading the .env file, causing connectivity issues to corporate MCP servers and APIs.

Guidance

  • The issue arises from the Parent Process not loading the .env file before spawning the Child Process, resulting in the Node.js engine initializing its SSL/TLS layer without the extra CA certificates.
  • To verify the issue, set the NODE_EXTRA_CA_CERTS variable directly in the shell environment and observe if the connection succeeds.
  • A potential workaround is to manually load the .env file in the Parent Process before spawning the Child Process, allowing the Node.js engine to initialize with the extra CA certificates.
  • Another possible solution is to re-initialize the global fetch dispatcher in the Child Process if a CA is detected in the .env file.

Example

// packages/cli/index.ts (modified)
const dotenv = require('dotenv');
const envConfig = dotenv.config({ path: '.gemini/.env' });
const newEnv = { ...process.env, ...envConfig.parsed, GEMINI_CLI_NO_RELAUNCH: 'true' };
const child = spawn(process.execPath, nodeArgs, {
  stdio: ['inherit', 'inherit', 'inherit', 'ipc'],
  env: newEnv,
});

Notes

The provided example code snippet assumes the dotenv package is installed and configured correctly. This solution may require additional error handling and configuration to ensure compatibility with the Gemini CLI.

Recommendation

Apply a workaround by manually loading the .env file in the Parent Process or re-initializing the global fetch dispatcher in the Child Process, as upgrading to a fixed version is not currently available.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#optimization#environment variable#retrieval issue#search optimization

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

gemini-cli - 💡(How to fix) Fix Regression: NODE_EXTRA_CA_CERTS in .gemini/.env is ignored since v0.39.0 (PR #24667) [1 participants]