Problem
The bt CLI (v0.3.0) fails with error: network error: error sending request for url (https://www.braintrust.dev/api/apikey/login) on corporate networks that use TLS-inspecting proxies (e.g., Zscaler, Netskope, Palo Alto). These proxies intercept HTTPS traffic and re-sign it with a corporate CA certificate that's installed in the OS trust store.
Root cause
bt uses reqwest with the rustls-tls feature, which bundles Mozilla's webpki-roots as the only trusted CAs. This means bt ignores the system certificate store entirely. Corporate proxy CAs (like Zscaler's) are trusted by the OS but not by webpki-roots, so the TLS handshake fails.
From Cargo.toml:
reqwest = { version = "0.12.7", default-features = false, features = ["json", "rustls-tls"] }
oauth2 = { version = "4.4", default-features = false, features = ["reqwest", "rustls-tls"] }Verification
curl to the same endpoint succeeds (it reads the system CA bundle via SSL_CERT_FILE)openssl s_client confirms the Zscaler intermediate CA is signing www.braintrust.dev- The Zscaler root CA is installed in the macOS system keychain
- Setting
SSL_CERT_FILE, REQUESTS_CA_BUNDLE, or REQWEST_CA_BUNDLE has no effect since rustls with webpki-roots doesn't read env vars
Suggested fix
Change rustls-tls to rustls-tls-native-roots in both dependency lines. This swaps webpki-roots for rustls-native-certs, which reads the OS certificate store (macOS Keychain, Windows cert store, or OpenSSL dirs on Linux):
reqwest = { version = "0.12.7", default-features = false, features = ["json", "rustls-tls-native-roots"] }
oauth2 = { version = "4.4", default-features = false, features = ["reqwest", "rustls-tls"] } # check if oauth2 supports native-roots tooThis is a common issue for Rust CLIs on corporate networks — many projects (e.g., cargo itself) have made this same change.
Environment
- macOS (arm64)
- Zscaler TLS inspection
bt v0.3.0
Problem
The
btCLI (v0.3.0) fails witherror: network error: error sending request for url (https://www.braintrust.dev/api/apikey/login)on corporate networks that use TLS-inspecting proxies (e.g., Zscaler, Netskope, Palo Alto). These proxies intercept HTTPS traffic and re-sign it with a corporate CA certificate that's installed in the OS trust store.Root cause
btusesreqwestwith therustls-tlsfeature, which bundles Mozilla'swebpki-rootsas the only trusted CAs. This meansbtignores the system certificate store entirely. Corporate proxy CAs (like Zscaler's) are trusted by the OS but not bywebpki-roots, so the TLS handshake fails.From
Cargo.toml:Verification
curlto the same endpoint succeeds (it reads the system CA bundle viaSSL_CERT_FILE)openssl s_clientconfirms the Zscaler intermediate CA is signingwww.braintrust.devSSL_CERT_FILE,REQUESTS_CA_BUNDLE, orREQWEST_CA_BUNDLEhas no effect sincerustlswithwebpki-rootsdoesn't read env varsSuggested fix
Change
rustls-tlstorustls-tls-native-rootsin both dependency lines. This swapswebpki-rootsforrustls-native-certs, which reads the OS certificate store (macOS Keychain, Windows cert store, or OpenSSL dirs on Linux):This is a common issue for Rust CLIs on corporate networks — many projects (e.g.,
cargoitself) have made this same change.Environment
btv0.3.0