-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: CA truststore support #1398
Comments
This would be an excellent feature. I'd rather not have to run my openai compatible inference server in http mode but I'm using a private public key infrastructure |
Feel free to make a PR! |
For folks stuck on this, here is a quick hack you can use ... basically you can just map In this example, I have my internal root CA trusted on the host machine and can map it directly into the container (don't forget to make it read only just in case): docker run -it --rm \
--publish=3000:8080 \
--volume=open-webui:/app/backend/data \
--volume=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
ghcr.io/open-webui/open-webui:main For a larger-scale deployment you can basically do the same thing, ex in Kubernetes maybe you are using something like trust-manager to manage your truststore within the cluster. You can mount the trust-manager managed bundle to This isn't a best practice and and environment variable configuration to add an additional truststore would be cleaner but this will work in the interim. As an aside, I tried to set |
I'm not able to get the fix above to work, I've pulled my CA bundle from my AD Domain and added it into the container as mentioned above, however I still get a SSL: CERTIFICATE_VERIFY_FAILED error. |
Bug Report
Description
When you run the docker image in an enterprise context, based on the company policy, you may have SSL interception in order to anlyse the traffic
Bug Summary:
Impossible to add some CA to the internal trustore used to make the REST API request
Steps to Reproduce:
need to have SSL interception enable on your laptop that breaks the SSL chain
Expected Behavior:
Possibility to add CA to the used truststore
Actual Behavior:
CA can't be added
Environment
Reproduction Details
Confirmation:
Logs and Screenshots
Browser Console Logs:
{
"detail": "Something went wrong :/\nHTTPSConnectionPool(host='api.openai.com', port=443): Max retries exceeded with url: /v1/images/generations (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))"
}
Docker Container Logs:
INFO: 172.17.0.1:50270 - "GET /ollama/api/tags HTTP/1.1" 200 OK
INFO:apps.openai.main:get_all_models()
ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]
INFO:apps.openai.main:models: {'data': []}
INFO:apps.openai.main:get_all_models()
ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]
INFO:apps.openai.main:models: {'data': []}
INFO: 172.17.0.1:50270 - "GET /openai/api/models HTTP/1.1" 200 OK
INFO: 172.17.0.1:50270 - "GET /litellm/api/v1/models HTTP/1.1" 200 OK
INFO: 172.17.0.1:50294 - "GET /_app/immutable/nodes/8.0396dff0.js HTTP/1.1" 200 OK
INFO: 172.17.0.1:50298 - "GET /ollama/api/version HTTP/1.1" 200 OK
INFO: 172.17.0.1:50304 - "GET /ollama/api/version HTTP/1.1" 200 OK
INFO: 172.17.0.1:50304 - "GET /ollama/urls HTTP/1.1" 200 OK
INFO: 172.17.0.1:50304 - "GET /ollama/api/version HTTP/1.1" 200 OK
INFO: 172.17.0.1:50304 - "GET /litellm/api/model/info HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /api/config HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /api/v1/auths/ HTTP/1.1" 200 OK
INFO:apps.ollama.main:get_all_models()
INFO: 172.17.0.1:50316 - "GET /ollama/api/tags HTTP/1.1" 200 OK
INFO:apps.openai.main:get_all_models()
ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]
INFO:apps.openai.main:models: {'data': []}
INFO:apps.openai.main:get_all_models()
ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]
INFO:apps.openai.main:models: {'data': []}
INFO: 172.17.0.1:50316 - "GET /openai/api/models HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /litellm/api/v1/models HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /api/v1/modelfiles/ HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /api/v1/prompts/ HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /api/v1/documents/ HTTP/1.1" 200 OK
INFO: 172.17.0.1:50316 - "GET /api/v1/chats/tags/all HTTP/1.1" 200 OK
INFO:apps.ollama.main:get_all_models()
Screenshots (if applicable):
Installation Method
Docker vanilla install with Open API key
Additional Information
[Include any additional details that may help in understanding and reproducing the issue. This could include specific configurations, error messages, or anything else relevant to the bug.]
Note
If the bug report is incomplete or does not follow the provided instructions, it may not be addressed. Please ensure that you have followed the steps outlined in the README.md and troubleshooting.md documents, and provide all necessary information for us to reproduce and address the issue. Thank you!
The text was updated successfully, but these errors were encountered: