feat: add support for self-signed TLS certificates#99
feat: add support for self-signed TLS certificates#99yeager wants to merge 2 commits intogrp06:mainfrom
Conversation
Add toggle in UI to allow self-signed TLS certificates for gateway connections. This is useful for Tailscale Serve with custom certs, local development, and private networks with self-signed certificates. Changes: - Added rejectUnauthorized option to GatewaySocketOptions - Extended StudioGatewaySettings with allowSelfSignedCerts field - Updated buildGatewayConnectProfile to pass rejectUnauthorized setting - Modified OpenClawAdapter to handle rejectUnauthorized in WebSocket options - Added UI checkbox in GatewayConnectScreen and ConnectionPanel - Updated useStudioGatewaySettings to manage the new setting - Added warning message when self-signed certs are enabled - Updated unit tests to include new props Fixes connection issues with self-signed certificates.
- Fix unit tests to include allowSelfSignedCerts field in assertions - Use semantic ui-alert-danger class for warning messages - Update test expectations in studioSettings and studioSettingsRoute tests
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 45ba4819d9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| gateway: { | ||
| url: trimmedGatewayUrl, | ||
| token: token.trim(), | ||
| allowSelfSignedCerts: allowSelfSignedCerts, | ||
| }, |
There was a problem hiding this comment.
useStudioGatewaySettings now posts gateway.allowSelfSignedCerts here, but src/app/api/studio/test-connection/route.ts:11-49 still only reads gateway.url/gateway.token and constructs loadSettings: () => ({ url, token }). In the exact scenario this feature is meant to unblock—a wss:// gateway with a self-signed certificate—the Test connection button will still fail with the old TLS validation error even after the box is checked.
Useful? React with 👍 / 👎.
| token: settings.token, | ||
| protocol: CONNECT_PROTOCOL, | ||
| capabilities: CONNECT_CAPABILITIES, | ||
| rejectUnauthorized: settings.allowSelfSignedCerts ? false : undefined, |
There was a problem hiding this comment.
This new flag is only consumed when connect() builds the websocket profile, but src/app/api/studio/route.ts:32-47 still defines a gateway-settings change as url/token only before deciding whether to call reconnectForGatewaySettingsChange(). If the runtime is already connected, toggling the checkbox and saving persists the setting but leaves the existing websocket running with its previous TLS policy until some later restart, so the live connection never picks up the new option.
Useful? React with 👍 / 👎.
1 participant
Problem
OpenClaw Studio cannot connect to gateways using self-signed TLS certificates (common with Tailscale Serve, local networks, development setups). WebSocket connections fail with certificate validation errors.
Solution
Adds a UI toggle "Allow self-signed certificates" in the gateway connection settings:
rejectUnauthorized: falseto WebSocket when enabledfalse(secure by default)Changes
gateway-connect-profile.ts— ExtendedGatewaySocketOptionswithrejectUnauthorizedcontracts.ts— Updated settings contractopenclaw-adapter.ts— Pass setting to WebSocketsettings.ts— Settings normalization + mergeuseStudioGatewaySettings.ts— State managementGatewayConnectScreen.tsx+ConnectionPanel.tsx— UI toggle + warningUse cases
Build passes (
npm run build✅)