Codex module: MCP server subprocesses fail TLS verification when enable_boundary=true #801
Description
Description
When enable_boundary = true in the Codex module, MCP server subprocesses (both the built-in Coder MCP and any additional_mcp_servers) fail to make HTTPS requests because they don't trust Boundary's dynamically-generated CA certificate.
Root Cause
Boundary sandboxes the Codex process using a network namespace with transparent HTTPS interception. It generates a CA certificate and injects env vars like SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, etc. into the Codex process environment.
However, Codex CLI calls .env_clear() when spawning MCP server subprocesses (source), only passing through a small default whitelist (HOME, PATH, SHELL, USER, LANG, LC_ALL, TERM, TMPDIR, TZ) plus whatever is explicitly defined in the env block of config.toml.
The append_mcp_servers_section function in install.sh does not include Boundary's CA cert env vars in the Coder MCP server's env block, so they are stripped when Codex spawns the MCP subprocess.
Symptoms
- Coder MCP (
coder exp mcp server):Failed to report task status: Patch "https://<coder-url>/api/v2/workspaceagents/me/app-status": tls: failed to verify certificate: x509: certificate signed by unknown authority - Additional MCP servers (e.g. GitLab via npx): TLS handshake failures when connecting to external APIs
Current Workaround
Coder MCP (Go binary)
Use post_install_script to sed-patch config.toml and inject SSL_CERT_FILE and SSL_CERT_DIR into the Coder MCP server's inline env block:
post_install_script = <<-EOF
#!/bin/bash
CONFIG_PATH="$HOME/.codex/config.toml"
sed -i 's|"CODER_MCP_ALLOWED_TOOLS" = "coder_report_task"|"CODER_MCP_ALLOWED_TOOLS" = "coder_report_task", "SSL_CERT_FILE" = "/home/coder/.config/coder_boundary/ca-cert.pem", "SSL_CERT_DIR" = "/home/coder/.config/coder_boundary"|' "$CONFIG_PATH"
EOFNode.js-based MCP servers (e.g. GitLab)
Only NODE_EXTRA_CA_CERTS is needed in the env block, plus startup_timeout_sec to account for slower npx downloads through Boundary:
[mcp_servers.gitlab]
command = "npx"
args = ["-y", "@zereight/mcp-gitlab"]
type = "stdio"
startup_timeout_sec = 180
[mcp_servers.gitlab.env]
NODE_EXTRA_CA_CERTS = "/home/coder/.config/coder_boundary/ca-cert.pem"
# ... other GitLab-specific env varsImportant note
HTTPS_PROXY/HTTP_PROXY are might not be needed. Boundary intercepts traffic transparently at the network namespace level; the proxy port (8087) is not reachable via localhost from inside the sandbox.
Proposed Fix
When enable_boundary = true, the append_mcp_servers_section function in scripts/install.sh should automatically inject Boundary's CA cert env vars into the built-in Coder MCP server env block. At minimum:
SSL_CERT_FILE=<boundary_config_dir>/ca-cert.pemSSL_CERT_DIR=<boundary_config_dir>
The CA cert path is deterministic based on the boundary_config_path directory.
Additionally, the README should document that:
- Users must add
NODE_EXTRA_CA_CERTS(or equivalent) toadditional_mcp_serversenv blocks when using Boundary - MCP servers using
npxmay need increasedstartup_timeout_sec(e.g. 180) when running behind Boundary due to package download overhead
Environment
- Codex module version: 4.3.0
- Coder version: v2.30.2
enable_boundary = trueenable_aibridge = true
Relevant Source Files
registry/coder-labs/modules/codex/scripts/install.sh-append_mcp_servers_sectionfunctionregistry/coder/modules/agentapi/scripts/boundary.sh- Boundary setup- Codex CLI MCP env handling: https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/utils.rs#L92
- Boundary CA cert injection: https://github.com/coder/boundary/blob/main/landjail/child.go