Summary
With ACA dynamic sandboxes (Microsoft.App/sandboxGroups, preview) using trafficInspection: Full, the egress proxy performs TLS interception and presents a leaf signed by CN=ADC Egress Proxy Root CA. The CA delivered into the sandbox for clients to trust — /etc/ssl/certs/adc-egress-proxy-ca.crt (also /usr/local/share/ca-certificates/adc-proxy-ca.crt, and referenced by NODE_EXTRA_CA_CERTS) — has the same Subject as the leaf's issuer but a different key, so it does not validate the intercepted traffic. As a result, no client can verify TLS through the proxy, and Transform rules (header injection / credential injection), which require Full inspection, can't be used with certificate verification enabled.
Environment
aca CLI 1.0.0-preview.1Microsoft.App/sandboxGroups, region North Europe- Reproduced on a custom Ubuntu 24.04 disk and consistent with MS public disks (
claude, ubuntu); on fresh and resumed sandboxes; across system trust (curl/openssl) and Node (NODE_EXTRA_CA_CERTS)
Repro
aca sandbox create --disk ubuntuaca sandbox egress set --id <id> --default Deny --rule "api.anthropic.com:Allow" --traffic-inspection Full- In the sandbox:
CA=/etc/ssl/certs/adc-egress-proxy-ca.crt
echo | openssl s_client -connect api.anthropic.com:443 -servername api.anthropic.com 2>/dev/null | openssl x509 > /tmp/leaf.pem
openssl verify -CAfile $CA /tmp/leaf.pem
curl --cacert $CA https://api.anthropic.com/v1/models
Actual
openssl verify -CAfile $CA /tmp/leaf.pem → error 20 at 0 depth lookup: unable to get local issuer certificate / verification failedcurl --cacert $CA ... → exit 60 / http=000- Node (
fetch, with NODE_EXTRA_CA_CERTS set to the dropped CA) → UNABLE_TO_VERIFY_LEAF_SIGNATURE
- The proxy presents only the leaf (
-showcerts shows 1 cert), so clients cannot bootstrap trust from the connection.
Key detail confirming the mismatch:
- leaf
issuer_hash == dropped-CA subject_hash (same DN), but the dropped CA is a valid self-signed root (CA:TRUE, pathlen:0, Key Usage: Certificate Sign, CRL Sign, self-verifies OK) that simply did not sign the leaf → two different CAs with identical CN=ADC Egress Proxy Root CA.
Expected
The CA delivered to the sandbox (/etc/ssl/certs/adc-egress-proxy-ca.crt / NODE_EXTRA_CA_CERTS) should be the actual root that signs the proxy's intercepted certificates, so that openssl verify, curl, Node, etc. validate Full-inspected TLS without disabling verification.
Impact
- Credential injection via
Transform (a headline sandbox capability for "coding agents") is unusable with TLS verification on, because Full inspection can't be trusted.
- The only client-side workaround today is disabling verification (
curl -k, NODE_TLS_REJECT_UNAUTHORIZED=0, git -c http.sslVerify=false), which is unacceptable for production.
Ask
Deliver the correct (matching) egress-proxy signing CA into the sandbox trust store / NODE_EXTRA_CA_CERTS, or document the correct way to obtain it. Happy to provide more detail / hashes from a live repro.
Summary
With ACA dynamic sandboxes (
Microsoft.App/sandboxGroups, preview) usingtrafficInspection: Full, the egress proxy performs TLS interception and presents a leaf signed byCN=ADC Egress Proxy Root CA. The CA delivered into the sandbox for clients to trust —/etc/ssl/certs/adc-egress-proxy-ca.crt(also/usr/local/share/ca-certificates/adc-proxy-ca.crt, and referenced byNODE_EXTRA_CA_CERTS) — has the same Subject as the leaf's issuer but a different key, so it does not validate the intercepted traffic. As a result, no client can verify TLS through the proxy, andTransformrules (header injection / credential injection), which require Full inspection, can't be used with certificate verification enabled.Environment
acaCLI1.0.0-preview.1Microsoft.App/sandboxGroups, region North Europeclaude,ubuntu); on fresh and resumed sandboxes; across system trust (curl/openssl) and Node (NODE_EXTRA_CA_CERTS)Repro
aca sandbox create --disk ubuntuaca sandbox egress set --id <id> --default Deny --rule "api.anthropic.com:Allow" --traffic-inspection FullActual
openssl verify -CAfile $CA /tmp/leaf.pem→error 20 at 0 depth lookup: unable to get local issuer certificate/verification failedcurl --cacert $CA ...→ exit 60 /http=000fetch, withNODE_EXTRA_CA_CERTSset to the dropped CA) →UNABLE_TO_VERIFY_LEAF_SIGNATURE-showcertsshows 1 cert), so clients cannot bootstrap trust from the connection.Key detail confirming the mismatch:
issuer_hash== dropped-CAsubject_hash(same DN), but the dropped CA is a valid self-signed root (CA:TRUE, pathlen:0,Key Usage: Certificate Sign, CRL Sign, self-verifies OK) that simply did not sign the leaf → two different CAs with identicalCN=ADC Egress Proxy Root CA.Expected
The CA delivered to the sandbox (
/etc/ssl/certs/adc-egress-proxy-ca.crt/NODE_EXTRA_CA_CERTS) should be the actual root that signs the proxy's intercepted certificates, so thatopenssl verify,curl, Node, etc. validate Full-inspected TLS without disabling verification.Impact
Transform(a headline sandbox capability for "coding agents") is unusable with TLS verification on, because Full inspection can't be trusted.curl -k,NODE_TLS_REJECT_UNAUTHORIZED=0,git -c http.sslVerify=false), which is unacceptable for production.Ask
Deliver the correct (matching) egress-proxy signing CA into the sandbox trust store /
NODE_EXTRA_CA_CERTS, or document the correct way to obtain it. Happy to provide more detail / hashes from a live repro.