Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
Cursor cannot connect to some HTTPS MCP servers, but everything else works fine.
LetsEncrypt recently rotated from their R13 intermediate to their R12 - Cursor worked fine with R13 (still does on sites not-yet updated), but fails on new R12 ones.
2025-11-27 23:54:15.289 [info] Client closed for command
2025-11-27 23:54:15.289 [error] Error connecting to streamableHttp server, falling back to SSE: fetch failed
2025-11-27 23:54:15.289 [error] Error connecting to streamableHttp server, falling back to SSE: fetch failed
2025-11-27 23:54:15.290 [info] Connecting to SSE server
2025-11-27 23:54:15.311 [info] No stored tokens found
2025-11-27 23:54:15.331 [error] Client error for command SSE error: TypeError: fetch failed: unable to verify the first certificate
2025-11-27 23:54:15.331 [error] Error connecting to SSE server after fallback: SSE error: TypeError: fetch failed: unable to verify the first certificate
Looks like a very weird messup with cacert.pem or whatever bundle is in use!
Steps to Reproduce
connect an MCP to any site using new LE Certs
Expected Behavior
Should accept the valid cers.
Operating System
Windows 10/11
MacOS
Current Cursor Version (Menu → About Cursor → Copy)
Version: 2.1.15 (system setup)
VSCode Version: 1.105.1
Commit: a022145cbf8aea0babc3b039a98551c1518de020
Date: 2025-11-21T07:22:34.513Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Windows_NT x64 10.0.17763
Additional Information
$ cat chain_R12.pem
-----BEGIN CERTIFICATE-----
MIIFBjCCAu6gAwIBAgIRAMISMktwqbSRcdxA9+KFJjwwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEMMAoGA1UEAxMDUjEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2pgodK2+lP474B7i5Ut1qywSf+2nAzJ+Npfs6DGPpRONC5kuHs0BUT1M
5ShuCVUxqqUiXXL0LQfCTUA83wEjuXg39RplMjTmhnGdBO+ECFu9AhqZ66YBAJpz
kG2Pogeg0JfT2kVhgTU9FPnEwF9q3AuWGrCf4yrqvSrWmMebcas7dA8827JgvlpL
Thjp2ypzXIlhZZ7+7Tymy05v5J75AEaz/xlNKmOzjmbGGIVwx1Blbzt05UiDDwhY
XS0jnV6j/ujbAKHS9OMZTfLuevYnnuXNnC2i8n+cF63vEzc50bTILEHWhsDp7CH4
WRt/uTp8n1wBnWIEwii9Cq08yhDsGwIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUALUp8i2ObzHom0yteD763OkM0dIwHwYDVR0jBBgwFoAU
ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
AQELBQADggIBAI910AnPanZIZTKS3rVEyIV29BWEjAK/duuz8eL5boSoVpHhkkv3
4eoAeEiPdZLj5EZ7G2ArIK+gzhTlRQ1q4FKGpPPaFBSpqV/xbUb5UlAXQOnkHn3m
FVj+qYv87/WeY+Bm4sN3Ox8BhyaU7UAQ3LeZ7N1X01xxQe4wIAAE3JVLUCiHmZL+
qoCUtgYIFPgcg350QMUIWgxPXNGEncT921ne7nluI02V8pLUmClqXOsCwULw+PVO
ZCB7qOMxxMBoCUeL2Ll4oMpOSr5pJCpLN3tRA2s6P1KLs9TSrVhOk+7LX28NMUlI
usQ/nxLJID0RhAeFtPjyOCOscQBA53+NRjSCak7P4A5jX7ppmkcJECL+S0i3kXVU
y5Me5BbrU8973jZNv/ax6+ZK6TM8jWmimL6of6OrX7ZU6E2WqazzsFrLG3o2kySb
zlhSgJ81Cl4tv3SbYiYXnJExKQvzf83DYotox3f0fwv7xln1A2ZLplCb0O+l/AK0
YE0DS2FPxSAHi0iwMfW2nNHJrXcY3LLHD77gRgje4Eveubi2xxa+Nmk/hmhLdIET
iVDFanoCrMVIpQ59XWHkzdFmoHXHBV7oibVjGSO7ULSQ7MJ1Nz51phuDJSgAIU7A
0zrLnOrAj/dfrlEWRhCvAgbuwLZX1A2sjNjXoPOHbsPiy+lO1KF8/XY7
-----END CERTIFICATE-----
$ cat chain_R13.pem
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQWgDyEtjUtIDzkkFX6imDBTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQClZ3CN0FaBZBUXYc25BtStGZCMJlA3mBZjklTb2cyEBZPs0+wIG6BgUUNI
fSvHSJaetC3ancgnO1ehn6vw1g7UDjDKb5ux0daknTI+WE41b0VYaHEX/D7YXYKg
L7JRbLAaXbhZzjVlyIuhrxA3/+OcXcJJFzT/jCuLjfC8cSyTDB0FxLrHzarJXnzR
yQH3nAP2/Apd9Np75tt2QnDr9E0i2gB3b9bJXxf92nUupVcM9upctuBzpWjPoXTi
dYJ+EJ/B9aLrAek4sQpEzNPCifVJNYIKNLMc6YjCR06CDgo28EdPivEpBHXazeGa
XP9enZiVuppD0EqiFwUBBDDTMrOPAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBTnq58PLDOgU9NeT3jIsoQOO9aSMzAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAUTdYUqEimzW7TbrOypLqCfL7VOwYf/Q79OH5cHLCZeggfQhDconl
k7Kgh8b0vi+/XuWu7CN8n/UPeg1vo3G+taXirrytthQinAHGwc/UdbOygJa9zuBc
VyqoH3CXTXDInT+8a+c3aEVMJ2St+pSn4ed+WkDp8ijsijvEyFwE47hulW0Ltzjg
9fOV5Pmrg/zxWbRuL+k0DBDHEJennCsAen7c35Pmx7jpmJ/HtgRhcnz0yjSBvyIw
6L1QIupkCv2SBODT/xDD3gfQQyKv6roV4G2EhfEyAsWpmojxjCUCGiyg97FvDtm/
NK2LSc9lybKxB73I2+P2G3CaWpvvpAiHCVu30jW8GCxKdfhsXtnIy2imskQqVZ2m
0Pmxobb28Tucr7xBK7CtwvPrb79os7u2XP3O5f9b/H66GNyRrglRXlrYjI1oGYL/
f4I1n/Sgusda6WvA6C190kxjU15Y12mHU4+BxyR9cx2hhGS9fAjMZKJss28qxvz6
Axu4CaDmRNZpK/pQrXF17yXCXkmEWgvSOEZy6Z9pcbLIVEGckV/iVeq0AOo2pkg9
p4QRIy0tK2diRENLSF2KysFwbY6B26BFeFs3v1sYVRhFW9nLkOrQVporCS0KyZmf
wVD89qSTlnctLcZnIavjKsKUu1nA1iU0yYMdYepKR7lWbnwhdx3ewok=
-----END CERTIFICATE-----
$ openssl x509 -text -noout -in chain_R12.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:12:32:4b:70:a9:b4:91:71:dc:40:f7:e2:85:26:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Mar 13 00:00:00 2024 GMT
Not After : Mar 12 23:59:59 2027 GMT
Subject: C = US, O = Let’s Encrypt, CN = R12
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:da:98:28:74:ad:be:94:fe:3b:e0:1e:e2:e5:4b:
75:ab:2c:12:7f:ed:a7:03:32:7e:36:97:ec:e8:31:
8f:a5:13:8d:0b:99:2e:1e:cd:01:51:3d:4c:e5:28:
6e:09:55:31:aa:a5:22:5d:72:f4:2d:07:c2:4d:40:
3c:df:01:23:b9:78:37:f5:1a:65:32:34:e6:86:71:
9d:04:ef:84:08:5b:bd:02:1a:99:eb:a6:01:00:9a:
73:90:6d:8f:a2:07:a0:d0:97:d3:da:45:61:81:35:
3d:14:f9:c4:c0:5f:6a:dc:0b:96:1a:b0:9f:e3:2a:
ea:bd:2a:d6:98:c7:9b:71:ab:3b:74:0f:3c:db:b2:
60:be:5a:4b:4e:18:e9:db:2a:73:5c:89:61:65:9e:
fe:ed:3c:a6:cb:4e:6f:e4:9e:f9:00:46:b3:ff:19:
4d:2a:63:b3:8e:66:c6:18:85:70:c7:50:65:6f:3b:
74:e5:48:83:0f:08:58:5d:2d:23:9d:5e:a3:fe:e8:
db:00:a1:d2:f4:e3:19:4d:f2:ee:7a:f6:27:9e:e5:
cd:9c:2d:a2:f2:7f:9c:17:ad:ef:13:37:39:d1:b4:
c8:2c:41:d6:86:c0:e9:ec:21:f8:59:1b:7f:b9:3a:
7c:9f:5c:01:9d:62:04:c2:28:bd:0a:ad:3c:ca:10:
ec:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
00:B5:29:F2:2D:8E:6F:31:E8:9B:4C:AD:78:3E:FA:DC:E9:0C:D1:D2
X509v3 Authority Key Identifier:
keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Authority Information Access:
CA Issuers - URI:http://x1.i.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://x1.c.lencr.org/
Signature Algorithm: sha256WithRSAEncryption
8f:75:d0:09:cf:6a:76:48:65:32:92:de:b5:44:c8:85:76:f4:
15:84:8c:02:bf:76:eb:b3:f1:e2:f9:6e:84:a8:56:91:e1:92:
4b:f7:e1:ea:00:78:48:8f:75:92:e3:e4:46:7b:1b:60:2b:20:
af:a0:ce:14:e5:45:0d:6a:e0:52:86:a4:f3:da:14:14:a9:a9:
5f:f1:6d:46:f9:52:50:17:40:e9:e4:1e:7d:e6:15:58:fe:a9:
8b:fc:ef:f5:9e:63:e0:66:e2:c3:77:3b:1f:01:87:26:94:ed:
40:10:dc:b7:99:ec:dd:57:d3:5c:71:41:ee:30:20:00:04:dc:
95:4b:50:28:87:99:92:fe:aa:80:94:b6:06:08:14:f8:1c:83:
7e:74:40:c5:08:5a:0c:4f:5c:d1:84:9d:c4:fd:db:59:de:ee:
79:6e:23:4d:95:f2:92:d4:98:29:6a:5c:eb:02:c1:42:f0:f8:
f5:4e:64:20:7b:a8:e3:31:c4:c0:68:09:47:8b:d8:b9:78:a0:
ca:4e:4a:be:69:24:2a:4b:37:7b:51:03:6b:3a:3f:52:8b:b3:
d4:d2:ad:58:4e:93:ee:cb:5f:6f:0d:31:49:48:ba:c4:3f:9f:
12:c9:20:3d:11:84:07:85:b4:f8:f2:38:23:ac:71:00:40:e7:
7f:8d:46:34:82:6a:4e:cf:e0:0e:63:5f:ba:69:9a:47:09:10:
22:fe:4b:48:b7:91:75:54:cb:93:1e:e4:16:eb:53:cf:7b:de:
36:4d:bf:f6:b1:eb:e6:4a:e9:33:3c:8d:69:a2:98:be:a8:7f:
a3:ab:5f:b6:54:e8:4d:96:a9:ac:f3:b0:5a:cb:1b:7a:36:93:
24:9b:ce:58:52:80:9f:35:0a:5e:2d:bf:74:9b:62:26:17:9c:
91:31:29:0b:f3:7f:cd:c3:62:8b:68:c7:77:f4:7f:0b:fb:c6:
59:f5:03:66:4b:a6:50:9b:d0:ef:a5:fc:02:b4:60:4d:03:4b:
61:4f:c5:20:07:8b:48:b0:31:f5:b6:9c:d1:c9:ad:77:18:dc:
b2:c7:0f:be:e0:46:08:de:e0:4b:de:b9:b8:b6:c7:16:be:36:
69:3f:86:68:4b:74:81:13:89:50:c5:6a:7a:02:ac:c5:48:a5:
0e:7d:5d:61:e4:cd:d1:66:a0:75:c7:05:5e:e8:89:b5:63:19:
23:bb:50:b4:90:ec:c2:75:37:3e:75:a6:1b:83:25:28:00:21:
4e:c0:d3:3a:cb:9c:ea:c0:8f:f7:5f:ae:51:16:46:10:af:02:
06:ee:c0:b6:57:d4:0d:ac:8c:d8:d7:a0:f3:87:6e:c3:e2:cb:
e9:4e:d4:a1:7c:fd:76:3b
$ openssl x509 -text -noout -in chain_R13.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5a:00:f2:12:d8:d4:b4:80:f3:92:41:57:ea:29:83:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Mar 13 00:00:00 2024 GMT
Not After : Mar 12 23:59:59 2027 GMT
Subject: C = US, O = Let’s Encrypt, CN = R13
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a5:67:70:8d:d0:56:81:64:15:17:61:cd:b9:06:
d4:ad:19:90:8c:26:50:37:98:16:63:92:54:db:d9:
cc:84:05:93:ec:d3:ec:08:1b:a0:60:51:43:48:7d:
2b:c7:48:96:9e:b4:2d:da:9d:c8:27:3b:57:a1:9f:
ab:f0:d6:0e:d4:0e:30:ca:6f:9b:b1:d1:d6:a4:9d:
32:3e:58:4e:35:6f:45:58:68:71:17:fc:3e:d8:5d:
82:a0:2f:b2:51:6c:b0:1a:5d:b8:59:ce:35:65:c8:
8b:a1:af:10:37:ff:e3:9c:5d:c2:49:17:34:ff:8c:
2b:8b:8d:f0:bc:71:2c:93:0c:1d:05:c4:ba:c7:cd:
aa:c9:5e:7c:d1:c9:01:f7:9c:03:f6:fc:0a:5d:f4:
da:7b:e6:db:76:42:70:eb:f4:4d:22:da:00:77:6f:
d6:c9:5f:17:fd:da:75:2e:a5:57:0c:f6:ea:5c:b6:
e0:73:a5:68:cf:a1:74:e2:75:82:7e:10:9f:c1:f5:
a2:eb:01:e9:38:b1:0a:44:cc:d3:c2:89:f5:49:35:
82:0a:34:b3:1c:e9:88:c2:47:4e:82:0e:0a:36:f0:
47:4f:8a:f1:29:04:75:da:cd:e1:9a:5c:ff:5e:9d:
98:95:ba:9a:43:d0:4a:a2:17:05:01:04:30:d3:32:
b3:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
E7:AB:9F:0F:2C:33:A0:53:D3:5E:4F:78:C8:B2:84:0E:3B:D6:92:33
X509v3 Authority Key Identifier:
keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Authority Information Access:
CA Issuers - URI:http://x1.i.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://x1.c.lencr.org/
Signature Algorithm: sha256WithRSAEncryption
51:37:58:52:a1:22:9b:35:bb:4d:ba:ce:ca:92:ea:09:f2:fb:
54:ec:18:7f:f4:3b:f4:e1:f9:70:72:c2:65:e8:20:7d:08:43:
72:89:e5:93:b2:a0:87:c6:f4:be:2f:bf:5e:e5:ae:ec:23:7c:
9f:f5:0f:7a:0d:6f:a3:71:be:b5:a5:e2:ae:bc:ad:b6:14:22:
9c:01:c6:c1:cf:d4:75:b3:b2:80:96:bd:ce:e0:5c:57:2a:a8:
1f:70:97:4d:70:c8:9d:3f:bc:6b:e7:37:68:45:4c:27:64:ad:
fa:94:a7:e1:e7:7e:5a:40:e9:f2:28:ec:8a:3b:c4:c8:5c:04:
e3:b8:6e:95:6d:0b:b7:38:e0:f5:f3:95:e4:f9:ab:83:fc:f1:
59:b4:6e:2f:e9:34:0c:10:c7:10:97:a7:9c:2b:00:7a:7e:dc:
df:93:e6:c7:b8:e9:98:9f:c7:b6:04:61:72:7c:f4:ca:34:81:
bf:22:30:e8:bd:50:22:ea:64:0a:fd:92:04:e0:d3:ff:10:c3:
de:07:d0:43:22:af:ea:ba:15:e0:6d:84:85:f1:32:02:c5:a9:
9a:88:f1:8c:25:02:1a:2c:a0:f7:b1:6f:0e:d9:bf:34:ad:8b:
49:cf:65:c9:b2:b1:07:bd:c8:db:e3:f6:1b:70:9a:5a:9b:ef:
a4:08:87:09:5b:b7:d2:35:bc:18:2c:4a:75:f8:6c:5e:d9:c8:
cb:68:a6:b2:44:2a:55:9d:a6:d0:f9:b1:a1:b6:f6:f1:3b:9c:
af:bc:41:2b:b0:ad:c2:f3:eb:6f:bf:68:b3:bb:b6:5c:fd:ce:
e5:ff:5b:fc:7e:ba:18:dc:91:ae:09:51:5e:5a:d8:8c:8d:68:
19:82:ff:7f:82:35:9f:f4:a0:ba:c7:5a:e9:6b:c0:e8:2d:7d:
d2:4c:63:53:5e:58:d7:69:87:53:8f:81:c7:24:7d:73:1d:a1:
84:64:bd:7c:08:cc:64:a2:6c:b3:6f:2a:c6:fc:fa:03:1b:b8:
09:a0:e6:44:d6:69:2b:fa:50:ad:71:75:ef:25:c2:5e:49:84:
5a:0b:d2:38:46:72:e9:9f:69:71:b2:c8:54:41:9c:91:5f:e2:
55:ea:b4:00:ea:36:a6:48:3d:a7:84:11:23:2d:2d:2b:67:62:
44:43:4b:48:5d:8a:ca:c1:70:6d:8e:81:db:a0:45:78:5b:37:
bf:5b:18:55:18:45:5b:d9:cb:90:ea:d0:56:9a:2b:09:2d:0a:
c9:99:9f:c1:50:fc:f6:a4:93:96:77:2d:2d:c6:67:21:ab:e3:
2a:c2:94:bb:59:c0:d6:25:34:c9:83:1d:61:ea:4a:47:b9:56:
6e:7c:21:77:1d:de:c2:89
$
Does this stop you from using Cursor
Sometimes - I can sometimes use Cursor