Skip to content

bug: Bun in Windmill sandbox ignores BUN_TLS_CA_FILE and fails with SELF_SIGNED_CERT_IN_CHAIN #7018

New issue
New issue
Closed
Closed
bug: Bun in Windmill sandbox ignores BUN_TLS_CA_FILE and fails with SELF_SIGNED_CERT_IN_CHAIN#7018
Assignees
rubenfiszel
Labels
bugSomething isn't working
@gevezex

Description

@gevezex
gevezex
opened on Oct 31, 2025

Describe the bug

When running a Windmill TypeScript script that imports a package (e.g. [email protected]), the sandbox runtime fails during dependency resolution with a SELF_SIGNED_CERT_IN_CHAIN error, even though a custom corporate CA certificate (/etc/ssl/custom/my.crt) is available and environment variables such as BUN_TLS_CA_FILE, NODE_EXTRA_CA_CERTS, and BUN_TLS_REJECT_UNAUTHORIZED are set and also whitelisted.

The same Bun command (bun install) works correctly on the underlying worker node, but fails inside the Windmill sandbox, indicating that Bun in the sandbox environment either:

cannot access the CA file path, or

ignores environment variables during its internal bun install phase.
We are using Windmill with the helm charts (kubernetes env). We do not have this behaviour with python scripts by the way.

To reproduce

  1. Have these env variables on your workers-default node:
NODE_EXTRA_CA_CERTS=/etc/ssl/custom/my.crt
BUN_TLS_CA_FILE=/etc/ssl/custom/my.crt
CURL_CA_BUNDLE=/etc/ssl/custom/my.crt
REQUESTS_CA_BUNDLE=/etc/ssl/custom/my.crt
WHITELIST_ENVS=REQUESTS_CA_BUNDLE,SSL_CERT_FILE,NODE_EXTRA_CA_CERTS,NODE_TLS_REJECT_UNAUTHORIZED,BUN_TLS_CA_FILE,BUN_TLS_REJECT_UNAUTHORIZED,HTTPS_PROXY,HTTP_PROXY,NO_PROXY

  1. Use a corporate network that performs SSL interception (e.g. Zscaler proxy) with a self-signed corporate root CA installed on the system at /etc/ssl/custom/my.crt.

  2. Create a Windmill TypeScript script using Bun runtime that both sets the environment variables and imports a package:

import * as wmill from "[email protected]";

export async function main() {
  // Apply CA settings
  process.env.BUN_TLS_CA_FILE = "/etc/ssl/custom/my.crt";
  process.env.NODE_EXTRA_CA_CERTS = "/etc/ssl/custom/my.crt";
  process.env.BUN_TLS_REJECT_UNAUTHORIZED = "0";

  console.log("CA file:", process.env.BUN_TLS_CA_FILE);

  // Trigger network call
  await wmill.hubPull({
    workspace: "admins",
    token: process.env["WM_TOKEN"],
    baseUrl: globalThis.process.env["BASE_URL"]
  });
}
  1. Run the script

Observed behavior
The job fails during dependency resolution with:

ExecutionErr: exit code for "bun install": 1, last log lines:
job=019a395e-2bdf-ba35-7496-bfb7ee0d9fd3 tag=bun worker=wk-default-p9x2x-2GTCL hostname=windmill-workers-default-f8dd9f8c9-p9x2x


--- BUN INSTALL ---

bun install v1.2.18 (0d4089ea)
Resolving dependencies
Resolved, downloaded and extracted [6]
error: SELF_SIGNED_CERT_IN_CHAIN downloading package manifest windmill-cli
error: [email protected] failed to resolve

While running the exact same bun install command directly on the worker node succeeds.
This indicates that:

  • The CA file is accessible at /etc/ssl/custom/my.crt
  • Environment variables are visible (console.log confirms them).
  • Bun in the sandbox ignores these env vars during its internal fetch.

Expected behavior

Bun should:

Honor BUN_TLS_CA_FILE, NODE_EXTRA_CA_CERTS, and BUN_TLS_REJECT_UNAUTHORIZED values before initiating any TLS connections during dependency resolution.

Successfully establish TLS with the corporate proxy using the provided custom CA.

Screenshots

No response

Browser information

Google Chrome 141.0.7390.108 (Officiële build) (64-bits)

Application version

v1.570.0

Additional Context

No response

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions