[Bug]: Allow insecure https requests to OpenAI-compatible endpoints

[BlueskyFR]

Summary

My OpenAI-compatible https endpoint uses a self-signed certificate, and I'd like ZeroClaw to have an option to ignore SSL cert check for it, or have an option to import my self-signed CA

Affected component

runtime/daemon

Severity

S0 - data loss / security risk

Current behavior

Currently: error sending request for url <>

Expected behavior

Have an option to ignore SSL errors for my custom provider

Steps to reproduce

Deploy any model with say VLLM and use a self-signed SSL certificate

Impact

Constrained production environments where Let's Encrypt might not be available.

Logs / stack traces

ZeroClaw version

93d9d0d

Rust version

Docker-compose version

Operating system

Podman rootless

Regression?

No, first-time setup

Pre-flight checks

• I reproduced this on the latest main branch or latest release.
• I redacted secrets/tokens from logs.
• I removed personal identifiers and replaced identity-specific data with neutral placeholders.

[github-actions]

Thanks for opening this issue.

Before maintainers triage it, please confirm:

• Repro steps are complete and run on latest main
• Environment details are included (OS, Rust version, ZeroClaw version)
• Sensitive values are redacted

This helps us keep issue throughput high and response latency low.

[theonlyhennygod]

Implemented via commit b6a1ace on the feat/prometheus-observer-rebased branch.

To use with self-signed certificates, add to your config.toml:

[reliability]
allow_insecure = true

WARNING: This bypasses SSL certificate verification. Only use in trusted environments or consider importing your CA certificate instead.

The feature is now available on the feat/prometheus-observer-rebased branch which will be merged via PR #596.

[lirc571]

Hi @theonlyhennygod, b6a1ace is not in #596 and not merged to main.

[Audacity88]

Status Update

Reopening this as the provider TLS-verification bypass decision, not as the custom-CA work. #5797 merged the safer production path with tls_ca_cert_path, and #1458 can stay closed for the custom-CA part.

Current issue map:

• [Feature]: Add support for local CA certificates for custom inference provider #1458: custom CA support for local/private PKI; covered by feat(providers): add tls_ca_cert_path support for custom inference providers #5797.
• feat(providers): add tls_ca_cert_path support for custom inference providers #5797: merged tls_ca_cert_path provider config for custom inference endpoints.
• fix(providers): trust system CA roots for provider HTTPS requests #6600: provider HTTPS system-root trust follow-up.
• [Bug]: Allow insecure https requests to OpenAI-compatible endpoints #551: remaining question: should provider TLS ever allow an explicit verification bypass?

Open decision:

Choose one policy before implementation:

• Decline an insecure provider TLS bypass and document tls_ca_cert_path / system roots as the supported path.
• Accept a guarded break-glass option for local or constrained deployments.

If the bypass is accepted, it should be provider-scoped, default off, loudly named, log a warning when active, and avoid changing ZeroClaw's default TLS verification policy.

Next slice:

Treat this as a design/security decision before code work. Recent user feedback on #1458 shows the local-model setup friction is real, but provider traffic can carry prompts, tool results, and model outputs, so the default must keep TLS verification on.