Skip to content

download_execution_logs fails with TLS error when HARNESS_BASE_URL differs from app.harness.io #39

New issue
New issue
Open
#40
Open
download_execution_logs fails with TLS error when HARNESS_BASE_URL differs from app.harness.io#39
#40
@mehulparmariitr

Description

@mehulparmariitr
mehulparmariitr
opened on Mar 9, 2026

Summary

download_execution_logs fails with a TLS certificate error when HARNESS_BASE_URL is configured to a custom/vanity Harness domain (e.g., https://mycompany.harness.io). All other MCP tools work correctly.

Error

failed to download logs: Get "https://app.harness.io/storage/harness-download/comp-log-service/...":
tls: failed to verify certificate: x509: certificate signed by unknown authority

Root Cause

The log download is a two-step process:

  1. API call to {HARNESS_BASE_URL}/blob/download — returns a pre-signed download URL. This works fine because the MCP uses the configured HARNESS_BASE_URL.

  2. File download from the pre-signed URL — the URL returned by the API is hardcoded to app.harness.io, regardless of what HARNESS_BASE_URL is configured to. The MCP then calls http.Get(logDownloadURL) in common/pkg/tools/logs.go (~line 350) using Go's default HTTP client with no TLS customization.

In environments where the network routes through a corporate proxy or uses a custom Harness domain, the app.harness.io certificate may not be trusted, causing the TLS handshake to fail.

Every other MCP tool works because they only do Step 1 (API calls to the configured base URL). download_execution_logs is the only tool that follows an external URL from the API response.

Affected Files

  • common/client/logs.goGetDownloadLogsURL() returns response.Link as-is from the API without rewriting the host
  • common/pkg/tools/logs.gohttp.Get(logDownloadURL) uses Go's default HTTP client with no TLS skip option

Proposed Solutions

Option A: URL rewriting (preferred)

In common/client/logs.go, rewrite response.Link to replace app.harness.io with the configured HARNESS_BASE_URL host before returning it. This ensures the download goes through the same trusted endpoint as all other API calls.

Option B: TLS skip option

Add a HARNESS_TLS_SKIP_VERIFY environment variable (default false). When true, use a custom http.Transport with InsecureSkipVerify: true for the download request in common/pkg/tools/logs.go:

tr := &http.Transport{
    TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
httpClient := &http.Client{Transport: tr}
resp, err := httpClient.Get(logDownloadURL)

Option C: Custom CA certificate support

Add a HARNESS_CA_CERT_PATH environment variable that loads additional CA certificates into the HTTP client's TLS config for the download request.

Environment

  • Harness MCP Server (latest)
  • HARNESS_BASE_URL set to a custom domain (not app.harness.io)
  • Corporate network with custom CA certificates

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions