github-starred/ollama
2
0
Fork 0
mirror of https://github.com/ollama/ollama.git synced 2026-05-06 16:11:34 -05:00
Code Issues 14.5k Packages Projects Releases 120 Wiki Activity

[GH-ISSUE #823] failed to verify certificate: x509: certificate signed by unknown authority #62432

New Issue
Closed
opened 2026-05-03 08:55:42 -05:00 by GiteaMirror · 21 comments
GiteaMirror commented 2026-05-03 08:55:42 -05:00
Owner
Copy Link

Originally created by @sureshpatel66 on GitHub (Oct 17, 2023).
Original GitHub issue: https://github.com/ollama/ollama/issues/823

~$ docker exec -it ollama ollama run llama2
pulling manifest
Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama2/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority
please guide to solve this issue

Originally created by @sureshpatel66 on GitHub (Oct 17, 2023). Original GitHub issue: https://github.com/ollama/ollama/issues/823 ~$ docker exec -it ollama ollama run llama2 pulling manifest Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama2/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority please guide to solve this issue
GiteaMirror commented 2026-05-03 08:55:44 -05:00
Author
Owner
Copy Link

@jmorganca commented on GitHub (Oct 17, 2023):

Hi @sureshpatel66, which Docker image are you using? The official Ollama image has the ca-certificates package as part of it which should avoid these errors

Thanks for creating an issue!

<!-- gh-comment-id:1767118357 --> @jmorganca commented on GitHub (Oct 17, 2023): Hi @sureshpatel66, which Docker image are you using? The official Ollama [image](https://hub.docker.com/r/ollama/ollama) has the `ca-certificates` package as part of it which should avoid these errors Thanks for creating an issue!
GiteaMirror commented 2026-05-03 08:55:45 -05:00
Author
Owner
Copy Link

@sureshpatel66 commented on GitHub (Oct 19, 2023):

I am working in restricted network(office) caused this issue. I have connected with wireless network, it is working. Thank you for support.

<!-- gh-comment-id:1771527046 --> @sureshpatel66 commented on GitHub (Oct 19, 2023): I am working in restricted network(office) caused this issue. I have connected with wireless network, it is working. Thank you for support.
GiteaMirror commented 2026-05-03 08:55:45 -05:00
Author
Owner
Copy Link

@TimCoates commented on GitHub (Nov 8, 2023):

Also hitting this on corporate device, despite trying different networks. Is it possible to add a flag to ignore unknown certs?

<!-- gh-comment-id:1801722856 --> @TimCoates commented on GitHub (Nov 8, 2023): Also hitting this on corporate device, despite trying different networks. Is it possible to add a flag to ignore unknown certs?
GiteaMirror commented 2026-05-03 08:55:46 -05:00
Author
Owner
Copy Link

@mbbyn commented on GitHub (Nov 9, 2023):

Facing the same issue here. I already set the corporate certificates as trusted using ca-certificates package, and using curl works without the -k, --insecure flag. According to Go, the language picks up the system certificates, but not sure why it's not in this case.

Edit

It seems I set the OLLAMA_MODELS to a "wrong" path that somehow led to the certificate error. e.g. I wanted to change the models dir to /x/y/z/ollama, so I copied ~/.ollama to /x/y/z/ollama and set that as OLLAMA_MODELS. That's when the error started to appear. Once I fixed the OLLAMA_MODELS to point to /x/y/z/ollama/models, things started working again.

<!-- gh-comment-id:1803564199 --> @mbbyn commented on GitHub (Nov 9, 2023): ~Facing the same issue here. I already set the corporate certificates as trusted using `ca-certificates` package, and using `curl` works without the `-k, --insecure` flag. According to Go, the language picks up the system certificates, but not sure why it's not in this case.~ ### Edit It seems I set the `OLLAMA_MODELS` to a "wrong" path that somehow led to the certificate error. e.g. I wanted to change the models dir to `/x/y/z/ollama`, so I copied `~/.ollama` to `/x/y/z/ollama` and set that as `OLLAMA_MODELS`. That's when the error started to appear. Once I fixed the `OLLAMA_MODELS` to point to `/x/y/z/ollama/models`, things started working again.
GiteaMirror commented 2026-05-03 08:55:46 -05:00
Author
Owner
Copy Link

@marcellodesales commented on GitHub (Nov 9, 2023):

I'm getting the same error while running it in a Kubernetes cluster without mounting any volume... Is there anything to set the trust of the certificate? or the error is in something else... Is there a way to set the container logger to DEBUG/TRACE?

<!-- gh-comment-id:1804623342 --> @marcellodesales commented on GitHub (Nov 9, 2023): I'm getting the same error while running it in a Kubernetes cluster without mounting any volume... Is there anything to set the trust of the certificate? or the error is in something else... Is there a way to set the container logger to DEBUG/TRACE?
GiteaMirror commented 2026-05-03 08:55:47 -05:00
Author
Owner
Copy Link

@marcellodesales commented on GitHub (Nov 9, 2023):

So, some clues on this:

  • According to https://github.com/kubernetes/kubernetes/issues/43924#issuecomment-290905127, this error occurs when a docker client tries to pull docker images from an insecure Docker Registry...
  • Considering Ollama uses a docker registry to implement the model repository, I would say it's possible ollama's backend is actually a Docker Registry whose TLS certs were self-signed... Meanwhile, ollama's CLI client runs a client that connects to the docker daemon to pull the Models...
  • I don't get the same error running from my local machine, but I get it when running in a Kubernetes cluster...
    • My local machine has all the bypass and lower security configuration while the Kubernetes cluster doesn't

👽 Using the API

curl -i http://localhost:11434/api/pull -d '{"name": "llama2"}'
HTTP/1.1 200 OK
Content-Type: application/x-ndjson
Date: Thu, 0[9](jobs/1414268#step:5:10) Nov 2023 20:22:16 GMT
Transfer-Encoding: chunked

{"status":"pulling manifest"}
{"error":"pull model manifest: Get '[https://registry.ollama.ai/v2/library/llama2/manifests/latest\]
     (https://registry.ollama.ai/v2/library/llama2/manifests/latest/)': tls: failed to verify certificate: 
      x509: certificate signed by unknown authority"}
<!-- gh-comment-id:1804641060 --> @marcellodesales commented on GitHub (Nov 9, 2023): So, some clues on this: * According to https://github.com/kubernetes/kubernetes/issues/43924#issuecomment-290905127, this error occurs when a docker client tries to pull docker images from an insecure Docker Registry... * Considering Ollama uses a docker registry to implement the model repository, I would say it's possible ollama's backend is actually a Docker Registry whose TLS certs were self-signed... Meanwhile, ollama's CLI client runs a client that connects to the docker daemon to pull the Models... * I don't get the same error running from my local machine, but I get it when running in a Kubernetes cluster... * My local machine has all the bypass and lower security configuration while the Kubernetes cluster doesn't # 👽 Using the API ```console curl -i http://localhost:11434/api/pull -d '{"name": "llama2"}' HTTP/1.1 200 OK Content-Type: application/x-ndjson Date: Thu, 0[9](jobs/1414268#step:5:10) Nov 2023 20:22:16 GMT Transfer-Encoding: chunked ``` ```json {"status":"pulling manifest"} {"error":"pull model manifest: Get '[https://registry.ollama.ai/v2/library/llama2/manifests/latest\] (https://registry.ollama.ai/v2/library/llama2/manifests/latest/)': tls: failed to verify certificate: x509: certificate signed by unknown authority"} ```
GiteaMirror commented 2026-05-03 08:55:47 -05:00
Author
Owner
Copy Link

@marcellodesales commented on GitHub (Nov 9, 2023):

@sureshpatel66 Could you please reopen this ticket...?

The error is on the ollama CLI client while pulling images from the docker registry... I would implement a param to trust any Ollama server (for the future)... And ollama's endpoint should use a CA to solve the OSS use...

<!-- gh-comment-id:1804645457 --> @marcellodesales commented on GitHub (Nov 9, 2023): @sureshpatel66 Could you please reopen this ticket...? The error is on the ollama CLI client while pulling images from the docker registry... I would implement a param to trust any Ollama server (for the future)... And ollama's endpoint should use a CA to solve the OSS use...
GiteaMirror commented 2026-05-03 08:55:48 -05:00
Author
Owner
Copy Link

@TimCoates commented on GitHub (Nov 13, 2023):

Is it possible to provide alternative ways to download models, one or more of those might be able to circumvent the CA problem?

<!-- gh-comment-id:1808637750 --> @TimCoates commented on GitHub (Nov 13, 2023): Is it possible to provide alternative ways to download models, one or more of those might be able to circumvent the CA problem?
GiteaMirror commented 2026-05-03 08:55:48 -05:00
Author
Owner
Copy Link

@zioalex commented on GitHub (Mar 19, 2024):

Hi there, any update here. I am hitting the same problem

<!-- gh-comment-id:2007569582 --> @zioalex commented on GitHub (Mar 19, 2024): Hi there, any update here. I am hitting the same problem
GiteaMirror commented 2026-05-03 08:55:49 -05:00
Author
Owner
Copy Link

@andrealesani commented on GitHub (Mar 25, 2024):

It seems that ollama.ai now redirects to ollama.com, and even opening the first one from the browser I get certificate errors... Is it possible that simply changing the URL from "https://registry.ollama.ai/v2/library/llama2/manifests/latest" to "https://registry.ollama.com/v2/library/llama2/manifests/latest" solves the problem?

<!-- gh-comment-id:2017476078 --> @andrealesani commented on GitHub (Mar 25, 2024): It seems that [ollama.ai](ollama.ai) now redirects to [ollama.com](ollama.com), and even opening the first one from the browser I get certificate errors... Is it possible that simply changing the URL from "[https://registry.ollama.ai/v2/library/llama2/manifests/latest](https://registry.ollama.ai/v2/library/llama2/manifests/latest)" to "[https://registry.ollama.com/v2/library/llama2/manifests/latest](https://registry.ollama.com/v2/library/llama2/manifests/latest)" solves the problem?
GiteaMirror commented 2026-05-03 08:55:49 -05:00
Author
Owner
Copy Link

@maximeperrindev commented on GitHub (Mar 25, 2024):

@andrealesani yeah, that probably should do the trick

<!-- gh-comment-id:2017497135 --> @maximeperrindev commented on GitHub (Mar 25, 2024): @andrealesani yeah, that probably should do the trick
GiteaMirror commented 2026-05-03 08:55:50 -05:00
Author
Owner
Copy Link

@andrealesani commented on GitHub (Mar 25, 2024):

@andrealesani yeah, that probably should do the trick

Good to know! By chance, do you also know if there is a way to specify the URL from command line? Unfortunately, I am on Windows and I would like to avoid recompiling the whole thing (otherwise I might also try with WSL, but specifying URL manually would seem the easiest option, if ollama supports this option)

<!-- gh-comment-id:2017508271 --> @andrealesani commented on GitHub (Mar 25, 2024): > @andrealesani yeah, that probably should do the trick Good to know! By chance, do you also know if there is a way to specify the URL from command line? Unfortunately, I am on Windows and I would like to avoid recompiling the whole thing (otherwise I might also try with WSL, but specifying URL manually would seem the easiest option, if ollama supports this option)
GiteaMirror commented 2026-05-03 08:55:50 -05:00
Author
Owner
Copy Link

@maximeperrindev commented on GitHub (Mar 25, 2024):

@andrealesani i'm afraid we can't. If you don't want to recompile the whole app. You can also, as a workaround, create a Modelfile and use a downloaded .gguf.

I know it's not the best, but it's the easiest if you don't want to wait

<!-- gh-comment-id:2017530783 --> @maximeperrindev commented on GitHub (Mar 25, 2024): @andrealesani i'm afraid we can't. If you don't want to recompile the whole app. You can also, as a workaround, create a `Modelfile` and use a downloaded .gguf. I know it's not the best, but it's the easiest if you don't want to wait
GiteaMirror commented 2026-05-03 08:55:51 -05:00
Author
Owner
Copy Link

@andrealesani commented on GitHub (Mar 25, 2024):

FYI, they are talking about this in issue #3336. Easiest solution seems to change system time to 2 hours ago because the certificate expired an hour ago hahaha

<!-- gh-comment-id:2017570574 --> @andrealesani commented on GitHub (Mar 25, 2024): FYI, they are talking about this in issue #3336. Easiest solution seems to change system time to 2 hours ago because the certificate expired an hour ago hahaha
GiteaMirror commented 2026-05-03 08:55:51 -05:00
Author
Owner
Copy Link

@maximeperrindev commented on GitHub (Mar 25, 2024):

@andrealesani no way ahha ! thanks

<!-- gh-comment-id:2017589061 --> @maximeperrindev commented on GitHub (Mar 25, 2024): @andrealesani no way ahha ! thanks
GiteaMirror commented 2026-05-03 08:55:51 -05:00
Author
Owner
Copy Link

@Vasil-Dimitrov commented on GitHub (Mar 25, 2024):

@andrealesani Worked for me like a charm after I moved my local time a few hours back lol

Simple yet genius solution

<!-- gh-comment-id:2017630372 --> @Vasil-Dimitrov commented on GitHub (Mar 25, 2024): @andrealesani Worked for me like a charm after I moved my local time a few hours back lol Simple yet genius solution
GiteaMirror commented 2026-05-03 08:55:52 -05:00
Author
Owner
Copy Link

@steve3535 commented on GitHub (Jun 12, 2024):

This is what worked for me (i am running on top of k8s 1.28 on prem in restricted network):

  • get the CA of ollama.com and map it in the pod as /usr/local/share/ca-certificates/
  • get the CA of your organization and map it under the same path with .crt extension
  • update-ca-certificates
  • set env HTTPS_PROXY to your org proxy
<!-- gh-comment-id:2163254281 --> @steve3535 commented on GitHub (Jun 12, 2024): This is what worked for me (i am running on top of k8s 1.28 on prem in restricted network): - get the CA of ollama.com and map it in the pod as /usr/local/share/ca-certificates/ - get the CA of your organization and map it under the same path with .crt extension - update-ca-certificates - set env HTTPS_PROXY to your org proxy
GiteaMirror commented 2026-05-03 08:55:52 -05:00
Author
Owner
Copy Link

@bigghe commented on GitHub (Nov 21, 2024):

For anyone still facing this issue, in my case from my office network I don't have any proxy but the SSL inspection enabled connecting to public resources.

I solved following the steps here https://github.com/ollama/ollama/blob/main/docs/faq.md#how-do-i-use-ollama-behind-a-proxy-in-docker which basically means building a custom container starting from ollama/ollama and then add the firewall CA in /usr/local/share/ca-certificates (without -e HTTPS_PROXY=https://my.proxy.example.com in the docker run command).

<!-- gh-comment-id:2490706574 --> @bigghe commented on GitHub (Nov 21, 2024): For anyone still facing this issue, in my case from my office network I don't have any proxy but the SSL inspection enabled connecting to public resources. I solved following the steps here https://github.com/ollama/ollama/blob/main/docs/faq.md#how-do-i-use-ollama-behind-a-proxy-in-docker which basically means building a custom container starting from _ollama/ollama_ and then add the firewall CA in _/usr/local/share/ca-certificates_ (without _-e HTTPS_PROXY=https://my.proxy.example.com_ in the docker run command).
GiteaMirror commented 2026-05-03 08:55:53 -05:00
Author
Owner
Copy Link

@zongweix commented on GitHub (Apr 9, 2025):

Hi there, any update here. I am hitting the same problem

<!-- gh-comment-id:2788729459 --> @zongweix commented on GitHub (Apr 9, 2025): Hi there, any update here. I am hitting the same problem
GiteaMirror commented 2026-05-03 08:55:53 -05:00
Author
Owner
Copy Link

@chengs commented on GitHub (Jul 24, 2025):

this happens in large companies, in which SSL certs are modified to track users behaviors.

need ollama to have an option to bypass cert check.

such as -k --insure in curl

<!-- gh-comment-id:3111783153 --> @chengs commented on GitHub (Jul 24, 2025): this happens in large companies, in which SSL certs are modified to track users behaviors. need ollama to have an option to bypass cert check. such as -k --insure in `curl`
GiteaMirror commented 2026-05-03 08:55:53 -05:00
Author
Owner
Copy Link

@pivu-sbab commented on GitHub (Feb 13, 2026):

https://docs.ollama.com/faq#how-do-i-use-ollama-behind-a-proxy

<!-- gh-comment-id:3897065666 --> @pivu-sbab commented on GitHub (Feb 13, 2026): https://docs.ollama.com/faq#how-do-i-use-ollama-behind-a-proxy
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
amd
api
app
bug
build
cli
cloud
compatibility
context-length
create
docker
documentation
embeddings
feature request
feedback wanted
good first issue
gpt-oss
gpu
harmony
help wanted
image
install
intel
js
launch
linux
macos
memory
mlx
model
needs more info
networking
nvidia
ollama.com
performance
pull-request
Mirrored from GitHub Pull Request
 python
question
registry
rendering
thinking
tools
top
vulkan
windows
wsl
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#62432
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?