Summary
The agent-side multica CLI intermittently fails TLS certificate verification and cannot reach the API, halting the entire agent loop (cannot read issues, comment, or change status).
Error: resolve issue: Get "https://multica-api.agentic.mioffice.cn/api/issues/<id>":
tls: failed to verify certificate: x509: OSStatus -26276
-26276 = Apple Security.framework errSecInvalidExtendedKeyUsage. The released CLI is built CGO_ENABLED=0, but on darwin Go still routes system-root verification to Security.framework, so the OSStatus surfaces. The literal OSStatus token proves the rejection comes from Apple's SecPolicyCreateSSL server policy, which requires the leaf to assert id-kp-serverAuth EKU.
Environment
- Platform: macOS Darwin 23.3.0
- Domain:
multica-api.agentic.mioffice.cn
- Error code:
x509: OSStatus -26276 (errSecInvalidExtendedKeyUsage)
- Affected surface: agent runtime /
multica CLI HTTP client
Impact
- Agent cannot read issues, post comments, or run any
multica CLI operation.
- Intermittent — recovers for a few minutes, then fails again — severely disrupting agent continuity.
- The same command works on the user's own terminal; only the agent runtime/sandbox is affected.
Timeline
- Started intermittently on 2026-06-17.
- Persistent failures 2026-06-18 ~ 2026-06-19; consecutive retries all fail when it triggers.
Root cause (most likely)
"Works for the user, fails only in the sandbox, intermittent" points away from a broken origin cert and toward a TLS-inspection middlebox in the sandbox's egress path (mioffice.cn = corporate network) re-signing the leaf with a serverAuth-deficient cert from some of its fleet nodes. Less likely but possible: missing intermediate/root in the sandbox keychain, or mixed-config LB backends.
Current code state
Both the CLI (server/internal/cli/client.go) and the daemon (server/internal/daemon/client.go) build a plain &http.Client{Timeout: …} with no custom Transport/tls.Config — there is currently no way to supply a CA bundle or relax verification for API traffic. The only InsecureSkipVerify in the tree is the server-side SMTP sender, unrelated.
Proposed remediation
Env-gated knobs on the CLI/daemon HTTP client, following the existing MULTICA_* convention (MULTICA_HTTP_TIMEOUT):
MULTICA_CA_BUNDLE=/path/to/roots.pem — add a custom RootCAs pool; fully verifying (chain + hostname + EKU stay on). Clean fix for a missing corporate/intermediate CA.
MULTICA_TLS_INSECURE=1 — emergency-only InsecureSkipVerify, off by default, loudly warned. Restores continuity as a last resort.
- (Optional, under evaluation) relax only the serverAuth-EKU requirement (
VerifyOptions.KeyUsages = ExtKeyUsageAny) while keeping hostname + chain trust — strictly safer than full insecure, targets this exact error.
Durable fix: correct the offending cert's EKU at source, or exempt *.agentic.mioffice.cn from corporate TLS inspection, then drop the escape hatch from the sandbox image.
Diagnostics to confirm cause
Run from inside the sandbox and compare with the user's terminal:
openssl s_client -connect multica-api.agentic.mioffice.cn:443 \
-servername multica-api.agentic.mioffice.cn -showcerts </dev/null 2>/dev/null | tee /tmp/chain.pem
openssl x509 -in /tmp/chain.pem -noout -text | grep -A3 -E "Extended Key Usage|Issuer:|Subject:"
# Compare leaf SHA-256 fingerprint sandbox-vs-user; differing fingerprint => MITM/proxy substitution
# scutil --proxies and `env | grep -i proxy` to detect a forced inspecting proxy
Tracked internally as Multica MUL-3553.
Summary
The agent-side
multicaCLI intermittently fails TLS certificate verification and cannot reach the API, halting the entire agent loop (cannot read issues, comment, or change status).-26276= Apple Security.frameworkerrSecInvalidExtendedKeyUsage. The released CLI is builtCGO_ENABLED=0, but on darwin Go still routes system-root verification to Security.framework, so the OSStatus surfaces. The literalOSStatustoken proves the rejection comes from Apple'sSecPolicyCreateSSLserver policy, which requires the leaf to assertid-kp-serverAuthEKU.Environment
multica-api.agentic.mioffice.cnx509: OSStatus -26276(errSecInvalidExtendedKeyUsage)multicaCLI HTTP clientImpact
multicaCLI operation.Timeline
Root cause (most likely)
"Works for the user, fails only in the sandbox, intermittent" points away from a broken origin cert and toward a TLS-inspection middlebox in the sandbox's egress path (mioffice.cn = corporate network) re-signing the leaf with a
serverAuth-deficient cert from some of its fleet nodes. Less likely but possible: missing intermediate/root in the sandbox keychain, or mixed-config LB backends.Current code state
Both the CLI (
server/internal/cli/client.go) and the daemon (server/internal/daemon/client.go) build a plain&http.Client{Timeout: …}with no customTransport/tls.Config— there is currently no way to supply a CA bundle or relax verification for API traffic. The onlyInsecureSkipVerifyin the tree is the server-side SMTP sender, unrelated.Proposed remediation
Env-gated knobs on the CLI/daemon HTTP client, following the existing
MULTICA_*convention (MULTICA_HTTP_TIMEOUT):MULTICA_CA_BUNDLE=/path/to/roots.pem— add a customRootCAspool; fully verifying (chain + hostname + EKU stay on). Clean fix for a missing corporate/intermediate CA.MULTICA_TLS_INSECURE=1— emergency-onlyInsecureSkipVerify, off by default, loudly warned. Restores continuity as a last resort.VerifyOptions.KeyUsages = ExtKeyUsageAny) while keeping hostname + chain trust — strictly safer than full insecure, targets this exact error.Durable fix: correct the offending cert's EKU at source, or exempt
*.agentic.mioffice.cnfrom corporate TLS inspection, then drop the escape hatch from the sandbox image.Diagnostics to confirm cause
Run from inside the sandbox and compare with the user's terminal:
Tracked internally as Multica MUL-3553.