# PR #2232: Support truststore when available and add tracing

- URL: https://github.com/openai/codex/pull/2232
- Author: pakrym-oai
- Created: 2025-08-12 16:01:09 UTC
- Updated: 2025-08-12 16:21:07 UTC
- Changes: +46/-3, Files changed: 1, Commits: 1

## Description

Supports minimal tracing and detection of working ssl cert.

## Full Diff

```diff
diff --git a/codex-rs/login/src/login_with_chatgpt.py b/codex-rs/login/src/login_with_chatgpt.py
index ddcc6e66c7..252c4e06ae 100644
--- a/codex-rs/login/src/login_with_chatgpt.py
+++ b/codex-rs/login/src/login_with_chatgpt.py
@@ -45,11 +45,54 @@
 EXIT_CODE_WHEN_ADDRESS_ALREADY_IN_USE = 13
 
 CA_CONTEXT = None
+CODEX_LOGIN_TRACE = os.environ.get("CODEX_LOGIN_TRACE", "false") in ["true", "1"]
+
 try:
-    import ssl
-    import certifi as _certifi
 
-    CA_CONTEXT = ssl.create_default_context(cafile=_certifi.where())
+    def trace(msg: str) -> None:
+        if CODEX_LOGIN_TRACE:
+            print(msg)
+
+    def attempt_request(method: str) -> bool:
+        try:
+            with urllib.request.urlopen(
+                urllib.request.Request(
+                    f"{DEFAULT_ISSUER}/.well-known/openid-configuration",
+                    method="GET",
+                ),
+                context=CA_CONTEXT,
+            ) as resp:
+                if resp.status != 200:
+                    trace(f"Request using {method} failed: {resp.status}")
+                    return False
+
+                trace(f"Request using {method} succeeded")
+                return True
+        except Exception as e:
+            trace(f"Request using {method} failed: {e}")
+            return False
+
+    status = attempt_request("default settings")
+    if not status:
+        try:
+            import truststore
+
+            truststore.inject_into_ssl()
+            status = attempt_request("truststore")
+        except Exception as e:
+            trace(f"Failed to use truststore: {e}")
+
+    if not status:
+        try:
+            import ssl
+            import certifi as _certifi
+
+            CA_CONTEXT = ssl.create_default_context(cafile=_certifi.where())
+            status = attempt_request("certify")
+        except Exception as e:
+            trace(f"Failed to use certify: {e}")
+
+
 except Exception:
     pass
```

## Review Comments

### codex-rs/login/src/login_with_chatgpt.py

- Created: 2025-08-12 16:08:03 UTC | Link: https://github.com/openai/codex/pull/2232#discussion_r2270452078

```diff
@@ -45,11 +45,54 @@
 EXIT_CODE_WHEN_ADDRESS_ALREADY_IN_USE = 13
 
 CA_CONTEXT = None
+CODEX_LOGIN_TRACE = os.environ.get("CODEX_LOGIN_TRACE", "false") in ["true", "1"]
+
 try:
-    import ssl
-    import certifi as _certifi
 
-    CA_CONTEXT = ssl.create_default_context(cafile=_certifi.where())
+    def trace(msg: str) -> None:
+        if CODEX_LOGIN_TRACE:
+            print(msg)
+
+    def attempt_request(method: str) -> bool:
+        try:
+            with urllib.request.urlopen(
+                urllib.request.Request(
+                    f"{DEFAULT_ISSUER}/.well-known/openid-configuration",
+                    method="GET",
+                ),
+                context=CA_CONTEXT,
+            ) as resp:
+                if resp.status != 200:
+                    trace(f"Request using {method} failed: {resp.status}")
+                    return False
+
+                trace(f"Request using {method} succeeded")
+                return True
+        except Exception as e:
+            trace(f"Request using {method} failed: {e}")
+            return False
+
+    status = attempt_request("default settings")
+    if not status:
+        try:
+            import truststore
```

> Is this third-party dep commonly installed?
> 
> https://pypi.org/project/truststore/

- Created: 2025-08-12 16:08:51 UTC | Link: https://github.com/openai/codex/pull/2232#discussion_r2270454760

```diff
@@ -45,11 +45,54 @@
 EXIT_CODE_WHEN_ADDRESS_ALREADY_IN_USE = 13
 
 CA_CONTEXT = None
+CODEX_LOGIN_TRACE = os.environ.get("CODEX_LOGIN_TRACE", "false") in ["true", "1"]
+
 try:
-    import ssl
-    import certifi as _certifi
 
-    CA_CONTEXT = ssl.create_default_context(cafile=_certifi.where())
+    def trace(msg: str) -> None:
+        if CODEX_LOGIN_TRACE:
+            print(msg)
+
+    def attempt_request(method: str) -> bool:
+        try:
+            with urllib.request.urlopen(
+                urllib.request.Request(
+                    f"{DEFAULT_ISSUER}/.well-known/openid-configuration",
+                    method="GET",
+                ),
+                context=CA_CONTEXT,
+            ) as resp:
+                if resp.status != 200:
+                    trace(f"Request using {method} failed: {resp.status}")
+                    return False
+
+                trace(f"Request using {method} succeeded")
+                return True
+        except Exception as e:
+            trace(f"Request using {method} failed: {e}")
+            return False
+
+    status = attempt_request("default settings")
+    if not status:
+        try:
+            import truststore
+
+            truststore.inject_into_ssl()
+            status = attempt_request("truststore")
+        except Exception as e:
+            trace(f"Failed to use truststore: {e}")
+
+    if not status:
+        try:
+            import ssl
+            import certifi as _certifi
```

> Though I guess so is this... https://pypi.org/project/certifi/