When wrangler dies behind a corporate proxy, use the API

2 min read CloudflareWindows

Wrangler and other vendor CLIs hang or throw TLS errors behind a corporate proxy that intercepts HTTPS. Skip the CLI and drive the Cloudflare REST API directly with curl and a scoped token.

TL;DR · THE FIX

A corporate proxy that intercepts TLS presents its own certificate, which strict CLIs like wrangler reject. Drop to the underlying REST API with curl -sk (Python requests verify=False) and a scoped API token. Most CLIs are just wrappers; the API is always reachable.

The symptom

On a locked-down Windows machine behind a corporate proxy, wrangler was unusable. wrangler login never completed, deploys threw TLS or self-signed-certificate errors, and other vendor CLIs failed the same way. The Cloudflare dashboard worked fine in the browser, so it clearly wasn’t an outage or a credentials problem.

What’s actually happening

The corporate proxy does TLS interception: it sits in the middle, terminates the real HTTPS connection, and re-encrypts traffic to you with its own certificate signed by an internal CA. The browser trusts that CA because IT installed it in the system store. Many CLIs don’t use the system store, or they pin certificates, so they see an unknown issuer and refuse the connection. It’s not a Cloudflare bug. The proxy is breaking the certificate chain that wrangler expects, and wrangler does the correct, strict thing and bails.

The fix

Stop fighting the CLI. Almost every vendor tool is a wrapper over a REST API, and the API is reachable directly. Talk to it with curl and -k (skip cert verification, since you already know who is intercepting you), authenticating with a scoped API token:

# token from your .env, never inline in the command history
export CF_TOKEN="$(grep CLOUDFLARE_TOKEN .env | cut -d= -f2)"

# example: find a zone, then create a DNS record
curl -sk "https://api.cloudflare.com/client/v4/zones?name=example.com" \
  -H "Authorization: Bearer $CF_TOKEN" | jq -r '.result[0].id'

curl -sk -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE/dns_records" \
  -H "Authorization: Bearer $CF_TOKEN" -H "Content-Type: application/json" \
  --data '{"type":"CNAME","name":"www","content":"my-app.pages.dev","proxied":true}'

In Python the same escape hatch is requests.get(url, verify=False). I have driven whole workflows this way: creating DNS records, attaching a custom domain to a Pages project, setting up email routing, all the things wrangler would normally do.

A word on -k: it disables certificate verification, which is a real tradeoff, not a free pass. It is fine on a machine you control where you already know the proxy is the man in the middle. Do not make it a habit on untrusted networks, and keep the token minimally scoped (only the permissions the task needs) so a leaked or logged token can’t do much.

The lesson

When a vendor CLI dies behind a TLS-intercepting proxy, drop a layer. The CLI is convenience; the REST API underneath it is always there, and curl -sk (or verify=False) plus a scoped token gets you through. The same move rescued RDAP lookups and a handful of other tools on the same machine. The proxy can break a CLI’s certificate handling, but it can’t hide the API.

Related fixes

PowerShellWindows

PowerShell mangles quotes in CLI args, so pass JSON by file
CloudflarePages

A Pages custom domain added by API gets stuck on 'CNAME record not set'
CloudflarePages

Your Cloudflare Pages env vars do nothing (Direct Upload vs Git build)

Discussion

Powered by GitHub. Sign in to leave a comment.