git clone over HTTPS fails in all community sandbox images with:
fatal: unable to access '...': server certificate verification failed. CAfile: none CRLfile: none
Root cause
The sandbox runtime injects CA bundle env vars for several tools but not for git:
| Variable |
Value |
Consumer |
SSL_CERT_FILE |
/etc/openshell-tls/ca-bundle.pem |
OpenSSL-based libs |
CURL_CA_BUNDLE |
/etc/openshell-tls/ca-bundle.pem |
curl (OpenSSL) |
REQUESTS_CA_BUNDLE |
/etc/openshell-tls/ca-bundle.pem |
Python requests |
NODE_EXTRA_CA_CERTS |
/etc/openshell-tls/openshell-ca.pem |
Node.js |
GIT_SSL_CAINFO |
not set |
git |
The base image (Ubuntu Noble) ships git 2.43.0 linked against libcurl-gnutls, which does not read SSL_CERT_FILE. Git requires its own GIT_SSL_CAINFO env var (or http.sslCAInfo git config) to locate the CA bundle.
$ ldd /usr/lib/git-core/git-remote-https | grep -E 'curl|gnutls'
libcurl-gnutls.so.4 => /lib/aarch64-linux-gnu/libcurl-gnutls.so.4
libgnutls.so.30 => /lib/aarch64-linux-gnu/libgnutls.so.30
Reproduction
$ openshell sandbox create --from openclaw
# inside the sandbox:
$ env | grep GIT_SSL
# (empty)
$ git clone https://github.com/octocat/Hello-World.git
Cloning into 'Hello-World'...
fatal: unable to access 'https://github.com/octocat/Hello-World.git/': server certificate verification failed. CAfile: none CRLfile: none
Workaround
export GIT_SSL_CAINFO=/etc/openshell-tls/ca-bundle.pem
git clone https://github.com/octocat/Hello-World.git # works
Suggested fix
Inject GIT_SSL_CAINFO=/etc/openshell-tls/ca-bundle.pem in the sandbox environment alongside the other CA variables.
Alternatively, adding openshell-ca.pem to /usr/local/share/ca-certificates/ and running update-ca-certificates at sandbox init would fix all TLS clients at once (including future ones).
Affected images
All community sandbox images (base, openclaw, openclaw-nvidia, ollama, gemini) since they all inherit from base.
git cloneover HTTPS fails in all community sandbox images with:Root cause
The sandbox runtime injects CA bundle env vars for several tools but not for git:
SSL_CERT_FILE/etc/openshell-tls/ca-bundle.pemCURL_CA_BUNDLE/etc/openshell-tls/ca-bundle.pemREQUESTS_CA_BUNDLE/etc/openshell-tls/ca-bundle.pemNODE_EXTRA_CA_CERTS/etc/openshell-tls/openshell-ca.pemGIT_SSL_CAINFOThe base image (Ubuntu Noble) ships
git 2.43.0linked againstlibcurl-gnutls, which does not readSSL_CERT_FILE. Git requires its ownGIT_SSL_CAINFOenv var (orhttp.sslCAInfogit config) to locate the CA bundle.Reproduction
Workaround
Suggested fix
Inject
GIT_SSL_CAINFO=/etc/openshell-tls/ca-bundle.pemin the sandbox environment alongside the other CA variables.Alternatively, adding
openshell-ca.pemto/usr/local/share/ca-certificates/and runningupdate-ca-certificatesat sandbox init would fix all TLS clients at once (including future ones).Affected images
All community sandbox images (
base,openclaw,openclaw-nvidia,ollama,gemini) since they all inherit frombase.