85 lines
4.4 KiB
Markdown
85 lines
4.4 KiB
Markdown
# OpenAI/ChatGPT Browser Probe Notes — 2026-05-08
|
|
|
|
Session-specific learning from testing the Codex OAuth automation browser path on BOSS's Mac.
|
|
|
|
## Symptoms observed
|
|
|
|
- `https://openai.com/` loaded successfully in a real visible Chrome profile.
|
|
- `https://chatgpt.com/` failed before the registration/auth flow:
|
|
- First failure in Chrome: `NET::ERR_CERT_COMMON_NAME_INVALID` / privacy error.
|
|
- Relaunching Chrome with `--ignore-certificate-errors` bypassed the cert interstitial, but then failed with `ERR_CONNECTION_CLOSED`.
|
|
- Terminal probe also failed: `curl -I -L https://chatgpt.com/` returned `LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to chatgpt.com:443`.
|
|
- `https://openai.com/` via curl returned Cloudflare challenge/403 in one probe, while the visible browser still rendered the OpenAI page.
|
|
|
|
## Interpretation
|
|
|
|
Treat this as a network/proxy/TLS path issue before treating it as an extension automation bug. If `chatgpt.com` cannot complete TLS/HTTP loading in the same environment, steps that open ChatGPT or OpenAI Auth will fail regardless of sidepanel settings.
|
|
|
|
## Probe sequence to reuse
|
|
|
|
1. Launch an isolated Chrome profile with remote debugging and the unpacked extension, but do not start registration yet:
|
|
|
|
```bash
|
|
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
|
|
--user-data-dir="$PROFILE_DIR" \
|
|
--remote-debugging-port=9228 \
|
|
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
|
|
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
|
|
--no-first-run \
|
|
--no-default-browser-check \
|
|
--new-window https://openai.com/
|
|
```
|
|
|
|
2. Verify CDP is reachable:
|
|
|
|
```bash
|
|
curl -s http://127.0.0.1:9228/json/version
|
|
curl -s http://127.0.0.1:9228/json
|
|
```
|
|
|
|
3. Check direct network path before blaming DOM automation:
|
|
|
|
```bash
|
|
curl -I -L --max-time 15 https://chatgpt.com/
|
|
curl -I -L --max-time 15 https://openai.com/
|
|
```
|
|
|
|
4. If Chrome shows `NET::ERR_CERT_COMMON_NAME_INVALID` for `chatgpt.com`, pause the OAuth run and fix proxy/TLS/mitm path first. `--ignore-certificate-errors` can be used only as a diagnostic; it is not a real fix because the next failure may still be `ERR_CONNECTION_CLOSED`.
|
|
|
|
## PassWall2 DNS/prerequisite follow-up
|
|
|
|
After BOSS updated PassWall2 AI split rules, the browser path was still blocked because DNS was not cleanly taken over by remote/proxied DNS:
|
|
|
|
- `curl -I -L --max-time 20 https://chatgpt.com/` still failed with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
|
|
- Visible Chrome still ended on `chrome-error://chromewebdata/` with `ERR_CONNECTION_CLOSED`, and stderr continued to show `ssl_client_socket_impl.cc:924 ... net_error -100`.
|
|
- macOS system resolver returned polluted/suspicious answers:
|
|
- `chatgpt.com -> 199.59.150.40` plus IPv6 `2a03:2880:...` (Twitter/Facebook-looking ranges, not expected Cloudflare/OpenAI path)
|
|
- `accounts.openai.com -> 128.121.146.109` plus IPv6 `2001::80f2:f09b`
|
|
- A DoH comparison for `chatgpt.com` via Cloudflare showed expected Cloudflare-style A records such as `104.18.32.47` and `172.64.155.209`, confirming local DNS pollution.
|
|
- `scutil --dns` showed local macOS DNS included ISP/public resolvers such as `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; do not assume PassWall2 domain split rules alone mean DNS is being intercepted.
|
|
|
|
Operational rule: if `chatgpt.com` or `accounts.openai.com` resolves to non-Cloudflare/Twitter/Facebook-looking addresses, stop. Ask BOSS to fix PassWall2 DNS takeover / remote DNS / fake-ip or redir-host settings before testing extension automation. Do not proceed to registration/OAuth while Chrome still shows `ERR_CONNECTION_CLOSED`.
|
|
|
|
Helpful probe snippet:
|
|
|
|
```bash
|
|
python3 - <<'PY'
|
|
import socket
|
|
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
|
try:
|
|
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
|
except Exception as e:
|
|
print(host, 'ERR', e)
|
|
PY
|
|
scutil --dns | sed -n '1,120p'
|
|
curl -I -L --max-time 20 https://chatgpt.com/
|
|
```
|
|
|
|
|
|
Before sending `SAVE_SETTING` / `AUTO_RUN` programmatically, verify:
|
|
|
|
- `chrome://extensions/` shows `codex-oauth-automation-extension` loaded.
|
|
- The target URL/extension ID corresponds to the unpacked repo, not a built-in/other extension.
|
|
- The target context exposes the expected Chrome extension APIs and/or the sidepanel route is usable.
|
|
|
|
If `chrome://extensions/` shows no unpacked extension despite `--load-extension`, relaunch with a fresh profile and inspect Chrome stderr/profile policy before proceeding. |