Files
nousresearch--hermes-agent/docs/rca-ssl-cacert-post-git-pull.md
wehub-resource-sync b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
Build Skills Index / trigger-deploy (push) Waiting to run
CI / Deny unrelated histories (push) Has been skipped
CI / CI timing report (push) Blocked by required conditions
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / All required checks pass (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 11:56:03 +08:00

2.7 KiB

RCA: SSL CA cert bundle corruption after hermes update

Status: resolved by fix(ssl): surface broken CA bundles before provider calls Severity: P2 — degrades the agent into opaque provider/client failures until the user repairs deps or CA configuration.

Summary

A partial hermes update, interrupted venv repair, or stale CA-bundle environment variable can leave Python TLS configuration pointing at a missing, empty, or unloadable CA bundle. The first outbound HTTPS client creation or request can then fail with a raw FileNotFoundError: [Errno 2] No such file or directory or a low-level SSL error that does not name the broken CA path.

Root cause

Hermes uses OpenAI/httpx and requests-based clients for provider calls, model metadata, gateway delivery, and web tools. Those clients inherit CA bundle settings from:

  • HERMES_CA_BUNDLE
  • SSL_CERT_FILE
  • REQUESTS_CA_BUNDLE
  • CURL_CA_BUNDLE
  • the bundled certifi package's cacert.pem

When the venv is partially refreshed, or when one of those env vars points at a file that no longer exists, provider client construction can fail before Hermes has enough context to produce a useful message.

Fix

agent/ssl_guard.py validates CA bundle configuration before the OpenAI-compatible provider client is created in agent/agent_init.py. It:

  1. Checks explicit CA bundle env vars and reports the exact broken variable/path,
  2. Verifies certifi is importable,
  3. Verifies certifi.where() points at an existing file of plausible size,
  4. Builds an ssl.SSLContext from each checked bundle,
  5. Raises a typed SSLConfigurationError with a repair hint before httpx/OpenAI can raise a raw low-level error.

hermes_cli doctor exposes the same check under SSL / CA Certificates, so users can diagnose the problem without starting a model session.

Recovery

When the guard fires during agent init, the user sees a message like:

Failed to initialize OpenAI client: SSL_CERT_FILE points to a missing CA bundle: C:\path\to\missing\cacert.pem
Repair: python -m pip install --force-reinstall certifi openai httpx
If you configured a custom corporate CA bundle, fix or unset the broken CA bundle environment variable.

For a normal corrupted Hermes venv, reinstall the affected client dependencies:

python -m pip install --force-reinstall certifi openai httpx

For a custom/corporate CA setup, fix the env var so it points at a real PEM bundle, or unset it if Hermes should use the bundled certifi store.

Environment escape hatch

Set HERMES_SKIP_SSL_GUARD=1 to bypass the preflight check. This is intended only for sandboxed or managed-trust environments where the Python CA path looks unusual but downstream clients are known to work.