Enterprise TLS certificates

Some networks (including NIH) intercept SSL/TLS traffic for security monitoring. This requires trusting additional certificate authorities.

Problem

When running inside a container, the container cannot see certificates installed on the host machine. This causes SSL/TLS connection failures when on VPN or certain enterprise networks. Symptoms include apt output lines starting with Ign: during image builds, and connection errors from agent tools at runtime.

Solution

Download your enterprise certificates and pass them to the container.

NIH-specific Save the NIH DPKI certificate bundle (only reachable on the NIH network):

curl -fSsL -o ~/.certs.pem http://nihdpkicrl.nih.gov/certdata/DPKI-2023-Intermediate-rekey-FullChainBase64.crt

Then either:

1. Set the environment variable in ~/.bashrc:

   export LLM_DEVCONTAINER_CERTS=~/.certs.pem
   

2. Or pass --certs to launch.py for one-off use:

   launch.py --certs ~/.certs.pem codex
   

The same file is also used during image builds; see Developers.

If you are still having connection issues after setting up certificates, see SSL/TLS connection errors for more troubleshooting steps.

See also

See Environment variables created by launch.py for the environment variables that are set in the container when this mechanism is used.