fix: handle Linux nvm CA env before startup (#51146) (thanks @GodsBoy)

2026-04-05 14:21:32 +00:00 · 2026-03-21 10:47:29 -07:00
parent d6367c2c55
commit 40f5305cd2
11 changed files with 544 additions and 56 deletions
--- a/src/cli/daemon-cli/install.ts
+++ b/src/cli/daemon-cli/install.ts
@@ -1,3 +1,5 @@
+import type { DaemonInstallOptions } from "./types.js";
+import { resolveAutoNodeExtraCaCerts } from "../../bootstrap/node-extra-ca-certs.js";
 import { buildGatewayInstallPlan } from "../../commands/daemon-install-helpers.js";
 import {
  DEFAULT_GATEWAY_DAEMON_RUNTIME,
@@ -15,7 +17,6 @@ import {
  failIfNixDaemonInstallMode,
  parsePort,
 } from "./shared.js";
-import type { DaemonInstallOptions } from "./types.js";

 export async function runDaemonInstall(opts: DaemonInstallOptions) {
  const { json, stdout, warnings, emit, fail } = createDaemonInstallActionContext(opts.json);
@@ -54,19 +55,28 @@ export async function runDaemonInstall(opts: DaemonInstallOptions) {
  }
  if (loaded) {
    if (!opts.force) {
-      emit({
-        ok: true,
-        result: "already-installed",
-        message: `Gateway service already ${service.loadedText}.`,
-        service: buildDaemonServiceSnapshot(service, loaded),
-      });
-      if (!json) {
-        defaultRuntime.log(`Gateway service already ${service.loadedText}.`);
-        defaultRuntime.log(
-          `Reinstall with: ${formatCliCommand("openclaw gateway install --force")}`,
-        );
+      if (await gatewayServiceNeedsAutoNodeExtraCaCertsRefresh({ service, env: process.env })) {
+        const message = "Gateway service is missing the nvm TLS CA bundle; refreshing the install.";
+        if (json) {
+          warnings.push(message);
+        } else {
+          defaultRuntime.log(message);
+        }
+      } else {
+        emit({
+          ok: true,
+          result: "already-installed",
+          message: `Gateway service already ${service.loadedText}.`,
+          service: buildDaemonServiceSnapshot(service, loaded),
+        });
+        if (!json) {
+          defaultRuntime.log(`Gateway service already ${service.loadedText}.`);
+          defaultRuntime.log(
+            `Reinstall with: ${formatCliCommand("openclaw gateway install --force")}`,
+          );
+        }
+        return;
      }
-      return;
    }
  }

@@ -120,3 +130,24 @@ export async function runDaemonInstall(opts: DaemonInstallOptions) {
    },
  });
 }
+
+async function gatewayServiceNeedsAutoNodeExtraCaCertsRefresh(params: {
+  service: ReturnType<typeof resolveGatewayService>;
+  env: Record<string, string | undefined>;
+}): Promise<boolean> {
+  const expectedNodeExtraCaCerts = resolveAutoNodeExtraCaCerts({
+    env: params.env,
+    execPath: process.execPath,
+  });
+  if (!expectedNodeExtraCaCerts) {
+    return false;
+  }
+
+  try {
+    const currentCommand = await params.service.readCommand(params.env);
+    const currentNodeExtraCaCerts = currentCommand?.environment?.NODE_EXTRA_CA_CERTS?.trim();
+    return currentNodeExtraCaCerts !== expectedNodeExtraCaCerts;
+  } catch {
+    return false;
+  }
+}