github-starred/ollama
2
0
Fork 0
mirror of https://github.com/ollama/ollama.git synced 2026-05-07 00:22:43 -05:00
Code Issues 14.5k Packages Projects Releases 120 Wiki Activity

[GH-ISSUE #1798] failed to verify certificate: x509: certificate signed by unknown authority #1025

New Issue
Closed
opened 2026-04-12 10:44:53 -05:00 by GiteaMirror · 9 comments
GiteaMirror commented 2026-04-12 10:44:53 -05:00
Owner
Copy Link

Originally created by @jooyoungseo on GitHub (Jan 5, 2024).
Original GitHub issue: https://github.com/ollama/ollama/issues/1798

In my HPC system, I have to use apptainer instead of docker to run ollama. In the pulling process, I have encountered the following certificate issue. I was wondering if this could be addressed from ollama side.

Apptainer> ollama serve &
[1] 2914729
Apptainer> 2024/01/04 15:51:13 images.go:737: total blobs: 0
2024/01/04 15:51:13 images.go:744: total unused blobs removed: 0
2024/01/04 15:51:13 routes.go:895: Listening on [::]:11434 (version 0.1.17)
ollama pull llama2
[GIN] 2024/01/04 - 15:51:24 | 200 |      54.686µs |       127.0.0.1 | HEAD     "/"
2024/01/04 15:51:24 images.go:1066: request failed: Get https://registry.ollama.ai/v2/library/llama2/manifests/latest: tls: failed to verify certificate: x509: certificate signed by unknown authority
[GIN] 2024/01/04 - 15:51:24 | 200 |   19.314959ms |       127.0.0.1 | POST     "/api/pull"
pulling manifest 
Error: pull model manifest: Get https://registry.ollama.ai/v2/library/llama2/manifests/latest: tls: failed to verify certificate: x509: certificate signed by unknown authority
Apptainer>
Originally created by @jooyoungseo on GitHub (Jan 5, 2024). Original GitHub issue: https://github.com/ollama/ollama/issues/1798 In my HPC system, I have to use apptainer instead of docker to run ollama. In the pulling process, I have encountered the following certificate issue. I was wondering if this could be addressed from ollama side. ``` sh Apptainer> ollama serve & [1] 2914729 Apptainer> 2024/01/04 15:51:13 images.go:737: total blobs: 0 2024/01/04 15:51:13 images.go:744: total unused blobs removed: 0 2024/01/04 15:51:13 routes.go:895: Listening on [::]:11434 (version 0.1.17) ollama pull llama2 [GIN] 2024/01/04 - 15:51:24 | 200 | 54.686µs | 127.0.0.1 | HEAD "/" 2024/01/04 15:51:24 images.go:1066: request failed: Get https://registry.ollama.ai/v2/library/llama2/manifests/latest: tls: failed to verify certificate: x509: certificate signed by unknown authority [GIN] 2024/01/04 - 15:51:24 | 200 | 19.314959ms | 127.0.0.1 | POST "/api/pull" pulling manifest Error: pull model manifest: Get https://registry.ollama.ai/v2/library/llama2/manifests/latest: tls: failed to verify certificate: x509: certificate signed by unknown authority Apptainer> ```
GiteaMirror commented 2026-04-12 10:44:54 -05:00
Author
Owner
Copy Link

@mikkel1156 commented on GitHub (Jan 6, 2024):

From my use of containers (which it looks like Apptainer uses), this usually means that the environment is missing the correct Certificate Authorities (or has none at all) - this means that the environment can't verify any certificates.

This is usually resolved by installing the correct dependency in the environment, like the ca-certificates package on Debian.

<!-- gh-comment-id:1879690981 --> @mikkel1156 commented on GitHub (Jan 6, 2024): From my use of containers (which it looks like Apptainer uses), this usually means that the environment is missing the correct Certificate Authorities (or has none at all) - this means that the environment can't verify any certificates. This is usually resolved by installing the correct dependency in the environment, like the ca-certificates package on Debian.
GiteaMirror commented 2026-04-12 10:44:55 -05:00
Author
Owner
Copy Link

@jooyoungseo commented on GitHub (Jan 6, 2024):

Unfortunately, I do not have the sudo power. I asked ChatGPT if ollama could address this issue on their end, and it looks like there is a solution:

Solution Suggested by ChatGPT

Yes, the maintainers of the Ollama registry can address the SSL/TLS certificate issue on their end. The error you're encountering is due to the client (in your case, Apptainer) not trusting the SSL/TLS certificate presented by the Ollama registry server. Here are steps that the Ollama registry maintainers can take:

  1. Use a Certificate from a Trusted Authority:
    The most straightforward approach is to use a SSL/TLS certificate issued by a widely recognized Certificate Authority (CA). Certificates from these CAs are usually automatically trusted by most operating systems and software, reducing the likelihood of encountering such trust issues.

  2. Proper Certificate Chain:
    Ensure that the server is correctly configured to present not just the server certificate but also the full chain of certificates, including any intermediate CAs. This is a common issue where the server only sends its own certificate and not the full chain, leading to trust issues.

  3. Renew Expired Certificates:
    If the certificate is expired, it should be renewed. Expired certificates are not trusted by clients.

  4. Correct Domain Name:
    The SSL/TLS certificate should be valid for the domain it's being used on. This means if the server is registry.ollama.ai, the certificate should be issued for this domain or a wildcard certificate for the parent domain.

  5. Check for Revoked Certificates:
    Ensure that the certificate has not been revoked. Revoked certificates will not be trusted by clients.

  6. Communicate with Users:
    If there's a change or an update in the certificate, communicating this to the users is essential. They can then update their trust stores or take necessary actions if needed.

  7. Offer Detailed Guidance:
    Providing documentation or guidance on how to trust their certificate (in case it’s a self-signed or a certificate from a less known CA) would be helpful for users.

  8. Automate Certificate Management:
    Using tools like Let's Encrypt for automated certificate issuance and renewal can ensure that the certificates are always up to date and trusted.

By ensuring that the SSL/TLS certificates are correctly configured, up-to-date, and from a trusted authority, the Ollama maintainers can significantly reduce the likelihood of users encountering certificate-related errors.

<!-- gh-comment-id:1879749706 --> @jooyoungseo commented on GitHub (Jan 6, 2024): Unfortunately, I do not have the sudo power. I asked ChatGPT if ollama could address this issue on their end, and it looks like there is a solution: ## Solution Suggested by ChatGPT Yes, the maintainers of the Ollama registry can address the SSL/TLS certificate issue on their end. The error you're encountering is due to the client (in your case, Apptainer) not trusting the SSL/TLS certificate presented by the Ollama registry server. Here are steps that the Ollama registry maintainers can take: 1. **Use a Certificate from a Trusted Authority:** The most straightforward approach is to use a SSL/TLS certificate issued by a widely recognized Certificate Authority (CA). Certificates from these CAs are usually automatically trusted by most operating systems and software, reducing the likelihood of encountering such trust issues. 2. **Proper Certificate Chain:** Ensure that the server is correctly configured to present not just the server certificate but also the full chain of certificates, including any intermediate CAs. This is a common issue where the server only sends its own certificate and not the full chain, leading to trust issues. 3. **Renew Expired Certificates:** If the certificate is expired, it should be renewed. Expired certificates are not trusted by clients. 4. **Correct Domain Name:** The SSL/TLS certificate should be valid for the domain it's being used on. This means if the server is `registry.ollama.ai`, the certificate should be issued for this domain or a wildcard certificate for the parent domain. 5. **Check for Revoked Certificates:** Ensure that the certificate has not been revoked. Revoked certificates will not be trusted by clients. 6. **Communicate with Users:** If there's a change or an update in the certificate, communicating this to the users is essential. They can then update their trust stores or take necessary actions if needed. 7. **Offer Detailed Guidance:** Providing documentation or guidance on how to trust their certificate (in case it’s a self-signed or a certificate from a less known CA) would be helpful for users. 8. **Automate Certificate Management:** Using tools like Let's Encrypt for automated certificate issuance and renewal can ensure that the certificates are always up to date and trusted. By ensuring that the SSL/TLS certificates are correctly configured, up-to-date, and from a trusted authority, the Ollama maintainers can significantly reduce the likelihood of users encountering certificate-related errors.
GiteaMirror commented 2026-04-12 10:44:55 -05:00
Author
Owner
Copy Link

@mikkel1156 commented on GitHub (Jan 8, 2024):

This isn't an issue on their end, the certificate is already signed by a Trusted Authority (as suggested in your ChatGPT response). AS stated, the issue is likely that your Apptainer environment is missing these trusted certificate authorities.

You need to figure out what base-system your Apptainer environment is using, and getting the correct package installed as mentioned. The issue you are having would likely affect all certificates and not just ollama.

<!-- gh-comment-id:1880541301 --> @mikkel1156 commented on GitHub (Jan 8, 2024): This isn't an issue on their end, the certificate is already signed by a Trusted Authority (as suggested in your ChatGPT response). AS stated, the issue is likely that your Apptainer environment is missing these trusted certificate authorities. You need to figure out what base-system your Apptainer environment is using, and getting the correct package installed as mentioned. The issue you are having would likely affect all certificates and not just ollama.
GiteaMirror commented 2026-04-12 10:44:56 -05:00
Author
Owner
Copy Link

@mxyng commented on GitHub (Jan 8, 2024):

ollama.ai's certificate is signed by Google. You can check with openssl.

$ openssl s_client -connect ollama.ai:443 </dev/null 2>/dev/null
CONNECTED(00000006)
---
Certificate chain
 0 s:CN = ollama.ai
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 26 06:23:33 2023 GMT; NotAfter: Mar 25 07:17:47 2024 GMT
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhDCCBGygAwIBAgIQeQZ2E+83M8kJ2N7IFuA4oDANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFENDAeFw0yMzEyMjYwNjIzMzNaFw0yNDAzMjUw
NzE3NDdaMBQxEjAQBgNVBAMTCW9sbGFtYS5haTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKrSf5hWHQjUg58yPNmLHHv8x7DZmMABD+6bHNG3SOnUdTmw
INFIeN7r2E9FEMAmBOA15vK/LPorVCqEoIY1fyBjvQ8EFC/hFJmlvWcGqli11FIH
H1F/ky40Pb4/9wqitD2wjxHadxP7KebZIcz0SNDCUkCrhyyIelGNkQw9hLWTDHJQ
EZ0ZOgJJQEG3LI57Ob+PIyPEYGbGsuSn1zRdEF05JxdKtXS5H2tL+b50HNDBYshn
IOWYM0oEERM/4x+vX153g2N2k2QzZUaylW5E3hQOv4pWT6/w/sjPFpkUfF+CBd77
GPKrEBe6j9bHDJdQ65704UHLqWdgVO1tSAi/ircCAwEAAaOCAp4wggKaMA4GA1Ud
DwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBS+e1KG+qstfk279unYGBlB2RZkSjAfBgNVHSMEGDAWgBQl4hgOsleR
lCrl1F2GkIPeU7O4kjB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGGKWh0dHA6
Ly9vY3NwLnBraS5nb29nL3MvZ3RzMWQ0Lzc3d09INmxqbXpnMDEGCCsGAQUFBzAC
hiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxZDQuZGVyMEEGA1UdEQQ6
MDiCCW9sbGFtYS5haYINd3d3Lm9sbGFtYS5haYIScmVnaXN0cnkub2xsYW1hLmFp
gghvbGFtYS5haTAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwG
A1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFkNC84MFFD
aHRSb0VpNC5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgDuzdBk1dsazsVc
t520zROiModGfLzs3sNRSFlGcR+1mwAAAYylAeWtAAAEAwBHMEUCIEqm4ntGeUIu
lbQctganAYT+LsAtrk/TEkQeSRkun+mZAiEAgf/1xU1gbjWP/Hsa0AHPGI8BuJSL
ZHnH4d0kq28xOeIAdwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAA
AYylAeXQAAAEAwBIMEYCIQCWezLhrb+d7CwyIuw/HP/c6F7TDdcliB6puQ6QRj7+
AQIhALJsWA1DyegZwOWaHbjN+BYMqRTYIVjbEvhdcE0h+q9bMA0GCSqGSIb3DQEB
CwUAA4IBAQBVL/7XVoj/WHrP5ab6nGCKxJDkuzPM2Rob+SGzdlx/GiyuDyMP2pUf
T5MixHYudDi4bZG2aQcBdwINlRd4aatT/UucLVF5genjVW2BFeMrReRAzk+OE2Tx
YMptxRvIxt+A5uvVdC03uM4oeH2H+94hyXmydBzTPn4pFTeaceoCHNJ49sVwc2Vd
1JZyGM3FsqNM6ylw6FP1TvkaU2hJLclrYwPlhEEvSz7hepaO0Lfdbzu9LjMUaFG1
iAnZtMxARqcL66lrbo7/2ekqs6hjNy7wMAZ14tdt+BtJvIze2qPKnO2Wlm6f+X5+
uG8JyI3PbWUIqC54rScXhNdxH0BqU+s0
-----END CERTIFICATE-----
subject=CN = ollama.ai
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4722 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

If you're running into certificate verification issues, it is most likely caused by two issues:

  1. Your environment does not have CAs installed. The ollama docker container installs ca-certificates for this purpose
  2. Your environment uses a proxy and does not have the the proxy's certificate installed. If this is the cause, you can check the FAQ which might be of some help.
<!-- gh-comment-id:1881661370 --> @mxyng commented on GitHub (Jan 8, 2024): ollama.ai's certificate is signed by Google. You can check with `openssl`. ``` $ openssl s_client -connect ollama.ai:443 </dev/null 2>/dev/null CONNECTED(00000006) --- Certificate chain 0 s:CN = ollama.ai i:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 26 06:23:33 2023 GMT; NotAfter: Mar 25 07:17:47 2024 GMT 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 i:C = US, O = Google Trust Services LLC, CN = GTS Root R1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1 i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIFhDCCBGygAwIBAgIQeQZ2E+83M8kJ2N7IFuA4oDANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM QzETMBEGA1UEAxMKR1RTIENBIDFENDAeFw0yMzEyMjYwNjIzMzNaFw0yNDAzMjUw NzE3NDdaMBQxEjAQBgNVBAMTCW9sbGFtYS5haTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAKrSf5hWHQjUg58yPNmLHHv8x7DZmMABD+6bHNG3SOnUdTmw INFIeN7r2E9FEMAmBOA15vK/LPorVCqEoIY1fyBjvQ8EFC/hFJmlvWcGqli11FIH H1F/ky40Pb4/9wqitD2wjxHadxP7KebZIcz0SNDCUkCrhyyIelGNkQw9hLWTDHJQ EZ0ZOgJJQEG3LI57Ob+PIyPEYGbGsuSn1zRdEF05JxdKtXS5H2tL+b50HNDBYshn IOWYM0oEERM/4x+vX153g2N2k2QzZUaylW5E3hQOv4pWT6/w/sjPFpkUfF+CBd77 GPKrEBe6j9bHDJdQ65704UHLqWdgVO1tSAi/ircCAwEAAaOCAp4wggKaMA4GA1Ud DwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0G A1UdDgQWBBS+e1KG+qstfk279unYGBlB2RZkSjAfBgNVHSMEGDAWgBQl4hgOsleR lCrl1F2GkIPeU7O4kjB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGGKWh0dHA6 Ly9vY3NwLnBraS5nb29nL3MvZ3RzMWQ0Lzc3d09INmxqbXpnMDEGCCsGAQUFBzAC hiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxZDQuZGVyMEEGA1UdEQQ6 MDiCCW9sbGFtYS5haYINd3d3Lm9sbGFtYS5haYIScmVnaXN0cnkub2xsYW1hLmFp gghvbGFtYS5haTAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwG A1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFkNC84MFFD aHRSb0VpNC5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgDuzdBk1dsazsVc t520zROiModGfLzs3sNRSFlGcR+1mwAAAYylAeWtAAAEAwBHMEUCIEqm4ntGeUIu lbQctganAYT+LsAtrk/TEkQeSRkun+mZAiEAgf/1xU1gbjWP/Hsa0AHPGI8BuJSL ZHnH4d0kq28xOeIAdwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAA AYylAeXQAAAEAwBIMEYCIQCWezLhrb+d7CwyIuw/HP/c6F7TDdcliB6puQ6QRj7+ AQIhALJsWA1DyegZwOWaHbjN+BYMqRTYIVjbEvhdcE0h+q9bMA0GCSqGSIb3DQEB CwUAA4IBAQBVL/7XVoj/WHrP5ab6nGCKxJDkuzPM2Rob+SGzdlx/GiyuDyMP2pUf T5MixHYudDi4bZG2aQcBdwINlRd4aatT/UucLVF5genjVW2BFeMrReRAzk+OE2Tx YMptxRvIxt+A5uvVdC03uM4oeH2H+94hyXmydBzTPn4pFTeaceoCHNJ49sVwc2Vd 1JZyGM3FsqNM6ylw6FP1TvkaU2hJLclrYwPlhEEvSz7hepaO0Lfdbzu9LjMUaFG1 iAnZtMxARqcL66lrbo7/2ekqs6hjNy7wMAZ14tdt+BtJvIze2qPKnO2Wlm6f+X5+ uG8JyI3PbWUIqC54rScXhNdxH0BqU+s0 -----END CERTIFICATE----- subject=CN = ollama.ai issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4722 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ``` If you're running into certificate verification issues, it is most likely caused by two issues: 1. Your environment does not have CAs installed. The ollama docker container installs `ca-certificates` for this purpose 2. Your environment uses a proxy and does not have the the proxy's certificate installed. If this is the cause, you can check the [FAQ](https://github.com/jmorganca/ollama/blob/main/docs/faq.md#how-do-i-use-ollama-behind-a-proxy-in-docker) which might be of some help.
GiteaMirror commented 2026-04-12 10:44:57 -05:00
Author
Owner
Copy Link

@hqnicolas commented on GitHub (Mar 25, 2024):

pull model manifest: Get "https://registry.ollama.ai/v2/library/mistral/manifests/7b-text-v0.2-q6_K": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-03-25T10:15:20Z is after 2024-03-25T07:17:47Z

Same problema here....

Just Change server time to download image.

<!-- gh-comment-id:2017656243 --> @hqnicolas commented on GitHub (Mar 25, 2024): pull model manifest: Get "https://registry.ollama.ai/v2/library/mistral/manifests/7b-text-v0.2-q6_K": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-03-25T10:15:20Z is after 2024-03-25T07:17:47Z Same problema here.... Just Change server time to download image.
GiteaMirror commented 2026-04-12 10:44:57 -05:00
Author
Owner
Copy Link

@ceejatec commented on GitHub (Mar 25, 2024):

@hqnicolas That's actually a different problem entirely - the maintainers of the ollama.ai registry have allowed their SSL certificate to expire. I assume they'll be updating it soon.

<!-- gh-comment-id:2017695683 --> @ceejatec commented on GitHub (Mar 25, 2024): @hqnicolas That's actually a different problem entirely - the maintainers of the ollama.ai registry have allowed their SSL certificate to expire. I assume they'll be updating it soon.
GiteaMirror commented 2026-04-12 10:44:58 -05:00
Author
Owner
Copy Link

@ramstein74 commented on GitHub (Apr 3, 2024):

same here

pull model manifest: Get "https://registry.ollama.ai/v2/library/mixtral/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority

is this good ?

openssl s_client -connect ollama.ai:443 </dev/null 2>/dev/null
CONNECTED(00000003)

Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = ollama.ai
i:O = Cisco, CN = Cisco Umbrella Secondary SubCA mad1-SG
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 1 14:39:21 2024 GMT; NotAfter: Apr 6 14:39:21 2024 GMT
1 s:O = Cisco, CN = Cisco Umbrella Secondary SubCA mad1-SG
i:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 2 01:25:31 2024 GMT; NotAfter: Apr 13 01:25:31 2024 GMT
2 s:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA
i:O = Cisco, CN = Cisco Umbrella Root CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 21 19:53:18 2019 GMT; NotAfter: May 21 19:53:18 2024 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIEOiWQ0DANBgkqhkiG9w0BAQsFADBBMQ4wDAYDVQQKDAVD
aXNjbzEvMC0GA1UEAwwmQ2lzY28gVW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIG1h
ZDEtU0cwHhcNMjQwNDAxMTQzOTIxWhcNMjQwNDA2MTQzOTIxWjBsMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
bzEcMBoGA1UECgwTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAGA1UEAwwJb2xsYW1h
LmFpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+pvPm4POUZCAxOh
zQoNR9qEKogVUSK3Iq9/2bg4/zHJsiQ6gHehUZ8yTZrFvi/Bh6Iflhr5+AYh4mjO
vPpcKQIDAQABoxgwFjAUBgNVHREEDTALgglvbGxhbWEuYWkwDQYJKoZIhvcNAQEL
BQADggEBAFbHrioWs9mSlmew1xCARyrkO93BgzL9mo6KlIewNK+lE/9gvZXVQLAG
1JRIpy2reFWRHG0i+XwFvUUinVn1F2FopM95+emA9Yb2nfNaROhV1OG0hPVLPI30
w+yPvOsmonFOHErv4oIzbXmFIPN/vkPEvwEMpqNlt0jWdkokSJdfPIUFDaIEEgjt
KRpl+REwk/4MLSOwamUrYIYUcpvuUnwndaSahmVcEvPWGF9j2DMBaBlHN+vw/uIH
x3qRfSFVLrLDOkXIbaKItldcwdgzuVZf5Q2BqHmzmnE8yO89Bhn0tC+pH4LJkSjQ
vYwXniwRT0tUs8eS1x9hNj/1ukoUTv4=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = ollama.ai
issuer=O = Cisco, CN = Cisco Umbrella Secondary SubCA mad1-SG

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3706 bytes and written 391 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

<!-- gh-comment-id:2034815759 --> @ramstein74 commented on GitHub (Apr 3, 2024): same here pull model manifest: Get "https://registry.ollama.ai/v2/library/mixtral/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority is this good ? openssl s_client -connect ollama.ai:443 </dev/null 2>/dev/null CONNECTED(00000003) --- Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = ollama.ai i:O = Cisco, CN = Cisco Umbrella Secondary SubCA mad1-SG a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Apr 1 14:39:21 2024 GMT; NotAfter: Apr 6 14:39:21 2024 GMT 1 s:O = Cisco, CN = Cisco Umbrella Secondary SubCA mad1-SG i:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Apr 2 01:25:31 2024 GMT; NotAfter: Apr 13 01:25:31 2024 GMT 2 s:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA i:O = Cisco, CN = Cisco Umbrella Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 21 19:53:18 2019 GMT; NotAfter: May 21 19:53:18 2024 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDQzCCAiugAwIBAgIEOiWQ0DANBgkqhkiG9w0BAQsFADBBMQ4wDAYDVQQKDAVD aXNjbzEvMC0GA1UEAwwmQ2lzY28gVW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIG1h ZDEtU0cwHhcNMjQwNDAxMTQzOTIxWhcNMjQwNDA2MTQzOTIxWjBsMQswCQYDVQQG EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj bzEcMBoGA1UECgwTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAGA1UEAwwJb2xsYW1h LmFpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+pvPm4POUZCAxOh zQoNR9qEKogVUSK3Iq9/2bg4/zHJsiQ6gHehUZ8yTZrFvi/Bh6Iflhr5+AYh4mjO vPpcKQIDAQABoxgwFjAUBgNVHREEDTALgglvbGxhbWEuYWkwDQYJKoZIhvcNAQEL BQADggEBAFbHrioWs9mSlmew1xCARyrkO93BgzL9mo6KlIewNK+lE/9gvZXVQLAG 1JRIpy2reFWRHG0i+XwFvUUinVn1F2FopM95+emA9Yb2nfNaROhV1OG0hPVLPI30 w+yPvOsmonFOHErv4oIzbXmFIPN/vkPEvwEMpqNlt0jWdkokSJdfPIUFDaIEEgjt KRpl+REwk/4MLSOwamUrYIYUcpvuUnwndaSahmVcEvPWGF9j2DMBaBlHN+vw/uIH x3qRfSFVLrLDOkXIbaKItldcwdgzuVZf5Q2BqHmzmnE8yO89Bhn0tC+pH4LJkSjQ vYwXniwRT0tUs8eS1x9hNj/1ukoUTv4= -----END CERTIFICATE----- subject=C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", CN = ollama.ai issuer=O = Cisco, CN = Cisco Umbrella Secondary SubCA mad1-SG --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3706 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
GiteaMirror commented 2026-04-12 10:44:58 -05:00
Author
Owner
Copy Link

@alexhegit commented on GitHub (Jan 7, 2025):

Same issue.

<!-- gh-comment-id:2574463975 --> @alexhegit commented on GitHub (Jan 7, 2025): Same issue.
GiteaMirror commented 2026-04-12 10:44:59 -05:00
Author
Owner
Copy Link

@dhowe commented on GitHub (Mar 10, 2026):

Same here

<!-- gh-comment-id:4031226485 --> @dhowe commented on GitHub (Mar 10, 2026): Same here
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
amd
api
app
bug
build
cli
cloud
compatibility
context-length
create
docker
documentation
embeddings
feature request
feedback wanted
good first issue
gpt-oss
gpu
harmony
help wanted
image
install
intel
js
launch
linux
macos
memory
mlx
model
needs more info
networking
nvidia
ollama.com
performance
pull-request
Mirrored from GitHub Pull Request
 python
question
registry
rendering
thinking
tools
top
vulkan
windows
wsl
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#1025
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?