[GH-ISSUE #1398] feat: CA truststore support #12479

New Issue

Closed

opened 2026-04-19 19:24:50 -05:00 by GiteaMirror · 16 comments

GiteaMirror commented 2026-04-19 19:24:50 -05:00

Owner

Copy Link

Originally created by @GillesBodart on GitHub (Apr 2, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/1398

Bug Report

Description

When you run the docker image in an enterprise context, based on the company policy, you may have SSL interception in order to anlyse the traffic

Bug Summary:
Impossible to add some CA to the internal trustore used to make the REST API request

Steps to Reproduce:
need to have SSL interception enable on your laptop that breaks the SSL chain

Expected Behavior:
Possibility to add CA to the used truststore

Actual Behavior:

CA can't be added

Environment

• **Windows 11 running docker image ghcr.io/open-webui/open-webui:main
• **Browser Chrome

Reproduction Details

Confirmation:

• [* ] I have read and followed all the instructions provided in the README.md.
• [* ] I am on the latest version of both Open WebUI and Ollama.
• [* ] I have included the browser console logs.
• [ *] I have included the Docker container logs.

Logs and Screenshots

Browser Console Logs:
{
"detail": "Something went wrong :/\nHTTPSConnectionPool(host='api.openai.com', port=443): Max retries exceeded with url: /v1/images/generations (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))"
}

Docker Container Logs:
INFO: 172.17.0.1:50270 - "GET /ollama/api/tags HTTP/1.1" 200 OK

INFO:apps.openai.main:get_all_models()

ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]

INFO:apps.openai.main:models: {'data': []}

INFO:apps.openai.main:get_all_models()

ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]

INFO:apps.openai.main:models: {'data': []}

INFO: 172.17.0.1:50270 - "GET /openai/api/models HTTP/1.1" 200 OK

INFO: 172.17.0.1:50270 - "GET /litellm/api/v1/models HTTP/1.1" 200 OK

INFO: 172.17.0.1:50294 - "GET /_app/immutable/nodes/8.0396dff0.js HTTP/1.1" 200 OK

INFO: 172.17.0.1:50298 - "GET /ollama/api/version HTTP/1.1" 200 OK

INFO: 172.17.0.1:50304 - "GET /ollama/api/version HTTP/1.1" 200 OK

INFO: 172.17.0.1:50304 - "GET /ollama/urls HTTP/1.1" 200 OK

INFO: 172.17.0.1:50304 - "GET /ollama/api/version HTTP/1.1" 200 OK

INFO: 172.17.0.1:50304 - "GET /litellm/api/model/info HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /api/config HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /api/v1/auths/ HTTP/1.1" 200 OK

INFO:apps.ollama.main:get_all_models()

INFO: 172.17.0.1:50316 - "GET /ollama/api/tags HTTP/1.1" 200 OK

INFO:apps.openai.main:get_all_models()

ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]

INFO:apps.openai.main:models: {'data': []}

INFO:apps.openai.main:get_all_models()

ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')]

INFO:apps.openai.main:models: {'data': []}

INFO: 172.17.0.1:50316 - "GET /openai/api/models HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /litellm/api/v1/models HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /api/v1/modelfiles/ HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /api/v1/prompts/ HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /api/v1/documents/ HTTP/1.1" 200 OK

INFO: 172.17.0.1:50316 - "GET /api/v1/chats/tags/all HTTP/1.1" 200 OK

INFO:apps.ollama.main:get_all_models()

Screenshots (if applicable):

Installation Method

Docker vanilla install with Open API key

Additional Information

[Include any additional details that may help in understanding and reproducing the issue. This could include specific configurations, error messages, or anything else relevant to the bug.]

Note

If the bug report is incomplete or does not follow the provided instructions, it may not be addressed. Please ensure that you have followed the steps outlined in the README.md and troubleshooting.md documents, and provide all necessary information for us to reproduce and address the issue. Thank you!

Originally created by @GillesBodart on GitHub (Apr 2, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/1398 # Bug Report ## Description When you run the docker image in an enterprise context, based on the company policy, you may have SSL interception in order to anlyse the traffic **Bug Summary:** Impossible to add some CA to the internal trustore used to make the REST API request **Steps to Reproduce:** need to have SSL interception enable on your laptop that breaks the SSL chain **Expected Behavior:** Possibility to add CA to the used truststore **Actual Behavior:** CA can't be added ## Environment - **Windows 11 running docker image ghcr.io/open-webui/open-webui:main - **Browser Chrome ## Reproduction Details **Confirmation:** - [* ] I have read and followed all the instructions provided in the README.md. - [* ] I am on the latest version of both Open WebUI and Ollama. - [* ] I have included the browser console logs. - [ *] I have included the Docker container logs. ## Logs and Screenshots **Browser Console Logs:** { "detail": "Something went wrong :/\nHTTPSConnectionPool(host='api.openai.com', port=443): Max retries exceeded with url: /v1/images/generations (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))" } **Docker Container Logs:** INFO: 172.17.0.1:50270 - "GET /ollama/api/tags HTTP/1.1" 200 OK INFO:apps.openai.main:get_all_models() ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')] INFO:apps.openai.main:models: {'data': []} INFO:apps.openai.main:get_all_models() ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')] INFO:apps.openai.main:models: {'data': []} INFO: 172.17.0.1:50270 - "GET /openai/api/models HTTP/1.1" 200 OK INFO: 172.17.0.1:50270 - "GET /litellm/api/v1/models HTTP/1.1" 200 OK INFO: 172.17.0.1:50294 - "GET /_app/immutable/nodes/8.0396dff0.js HTTP/1.1" 200 OK INFO: 172.17.0.1:50298 - "GET /ollama/api/version HTTP/1.1" 200 OK INFO: 172.17.0.1:50304 - "GET /ollama/api/version HTTP/1.1" 200 OK INFO: 172.17.0.1:50304 - "GET /ollama/urls HTTP/1.1" 200 OK INFO: 172.17.0.1:50304 - "GET /ollama/api/version HTTP/1.1" 200 OK INFO: 172.17.0.1:50304 - "GET /litellm/api/model/info HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /api/config HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /api/v1/auths/ HTTP/1.1" 200 OK INFO:apps.ollama.main:get_all_models() INFO: 172.17.0.1:50316 - "GET /ollama/api/tags HTTP/1.1" 200 OK INFO:apps.openai.main:get_all_models() ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')] INFO:apps.openai.main:models: {'data': []} INFO:apps.openai.main:get_all_models() ERROR:apps.openai.main:Connection error: Cannot connect to host api.openai.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')] INFO:apps.openai.main:models: {'data': []} INFO: 172.17.0.1:50316 - "GET /openai/api/models HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /litellm/api/v1/models HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /api/v1/modelfiles/ HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /api/v1/prompts/ HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /api/v1/documents/ HTTP/1.1" 200 OK INFO: 172.17.0.1:50316 - "GET /api/v1/chats/tags/all HTTP/1.1" 200 OK INFO:apps.ollama.main:get_all_models() **Screenshots (if applicable):**  ## Installation Method Docker vanilla install with Open API key ## Additional Information [Include any additional details that may help in understanding and reproducing the issue. This could include specific configurations, error messages, or anything else relevant to the bug.] ## Note If the bug report is incomplete or does not follow the provided instructions, it may not be addressed. Please ensure that you have followed the steps outlined in the README.md and troubleshooting.md documents, and provide all necessary information for us to reproduce and address the issue. Thank you!

GiteaMirror added the help wanted label 2026-04-19 19:24:50 -05:00

GiteaMirror closed this issue 2026-04-19 19:24:51 -05:00

GiteaMirror commented 2026-04-19 19:24:52 -05:00

Author

Owner

Copy Link

@strikeoncmputrz commented on GitHub (Apr 4, 2024):

This would be an excellent feature. I'd rather not have to run my openai compatible inference server in http mode but I'm using a private public key infrastructure

<!-- gh-comment-id:2036101079 --> @strikeoncmputrz commented on GitHub (Apr 4, 2024): This would be an excellent feature. I'd rather not have to run my openai compatible inference server in http mode but I'm using a private public key infrastructure

GiteaMirror commented 2026-04-19 19:24:53 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Apr 14, 2024):

Feel free to make a PR!

<!-- gh-comment-id:2054177380 --> @tjbck commented on GitHub (Apr 14, 2024): Feel free to make a PR!

GiteaMirror commented 2026-04-19 19:24:54 -05:00

Author

Owner

Copy Link

@theobjectivedad commented on GitHub (Jun 19, 2024):

For folks stuck on this, here is a quick hack you can use ... basically you can just map /etc/ssl/certs/ca-certificates.crt in the container to a another file that contains your own trust chain.

In this example, I have my internal root CA trusted on the host machine and can map it directly into the container (don't forget to make it read only just in case):

docker run -it --rm \
  --publish=3000:8080 \
  --volume=open-webui:/app/backend/data \
  --volume=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
  ghcr.io/open-webui/open-webui:main

For a larger-scale deployment you can basically do the same thing, ex in Kubernetes maybe you are using something like trust-manager to manage your truststore within the cluster. You can mount the trust-manager managed bundle to /etc/ssl/certs/ca-certificates.crt inside the open webui pod.

This isn't a best practice and and environment variable configuration to add an additional truststore would be cleaner but this will work in the interim. As an aside, I tried to set REQUESTS_CA_BUNDLE in the environment but it didn't work for me.

<!-- gh-comment-id:2178636262 --> @theobjectivedad commented on GitHub (Jun 19, 2024): For folks stuck on this, here is a quick hack you can use ... basically you can just map ``/etc/ssl/certs/ca-certificates.crt`` in the container to a another file that contains your own trust chain. In this example, I have my internal root CA trusted on the host machine and can map it directly into the container (don't forget to make it read only just in case): ```shell docker run -it --rm \ --publish=3000:8080 \ --volume=open-webui:/app/backend/data \ --volume=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \ ghcr.io/open-webui/open-webui:main ``` For a larger-scale deployment you can basically do the same thing, ex in Kubernetes maybe you are using something like [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) to manage your truststore within the cluster. You can mount the trust-manager managed bundle to ``/etc/ssl/certs/ca-certificates.crt`` inside the open webui pod. This isn't a best practice and and environment variable configuration to add an additional truststore would be cleaner but this will work in the interim. As an aside, I tried to set ``REQUESTS_CA_BUNDLE`` in the environment but it didn't work for me.

GiteaMirror commented 2026-04-19 19:24:54 -05:00

Author

Owner

Copy Link

@hanahige commented on GitHub (Jul 16, 2024):

I'm not able to get the fix above to work, I've pulled my CA bundle from my AD Domain and added it into the container as mentioned above, however I still get a SSL: CERTIFICATE_VERIFY_FAILED error.
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)
however I did notice that the above method allows me to curl the .well-known address without having to ignore validation. It just seems like Open WebUI doesn't also respect that the CA root for my domain is trusted once added to the container CA trust.
I'm running Open WebUI 0.3.7, and Authentik 2024.4.7 behind a NGINX reverse proxy.

<!-- gh-comment-id:2231667946 --> @hanahige commented on GitHub (Jul 16, 2024): I'm not able to get the fix above to work, I've pulled my CA bundle from my AD Domain and added it into the container as mentioned above, however I still get a SSL: CERTIFICATE_VERIFY_FAILED error. `ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)` however I did notice that the above method allows me to curl the .well-known address without having to ignore validation. It just seems like Open WebUI doesn't also respect that the CA root for my domain is trusted once added to the container CA trust. I'm running Open WebUI 0.3.7, and Authentik 2024.4.7 behind a NGINX reverse proxy.

GiteaMirror commented 2026-04-19 19:24:55 -05:00

Author

Owner

Copy Link

@KizzyCode commented on GitHub (Jul 30, 2024):

FWIW, you can force python to use the system certificate store via REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt in the environment.

My (trimmed down) docker-compose.yml looks like this:

services:
  openwebui:
    image: ghcr.io/open-webui/open-webui:main
    volumes:
      - /var/containers/openwebui:/app/backend/data:rw
      - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - WEBUI_NAME=compusrv
      - ENABLE_SIGNUP=False
      - ENABLE_COMMUNITY_SHARING=False
      - WEBUI_SESSION_COOKIE_SAME_SITE=strict
      - WEBUI_SESSION_COOKIE_SECURE=True
      - ENABLE_OLLAMA_API=False
      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

where /etc/containers/openwebui/compusrv.crt is simply my self-signed certificate (i.e. you don't even need to build a full truststore, if you don't want to).

<!-- gh-comment-id:2258463210 --> @KizzyCode commented on GitHub (Jul 30, 2024): FWIW, you can force python to use the system certificate store via `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` in the environment. My (trimmed down) docker-compose.yml looks like this: ```yml services: openwebui: image: ghcr.io/open-webui/open-webui:main volumes: - /var/containers/openwebui:/app/backend/data:rw - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment: - WEBUI_NAME=compusrv - ENABLE_SIGNUP=False - ENABLE_COMMUNITY_SHARING=False - WEBUI_SESSION_COOKIE_SAME_SITE=strict - WEBUI_SESSION_COOKIE_SECURE=True - ENABLE_OLLAMA_API=False - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ``` where `/etc/containers/openwebui/compusrv.crt` is simply my self-signed certificate (i.e. you don't even need to build a full truststore, if you don't want to).

GiteaMirror commented 2026-04-19 19:24:55 -05:00

Author

Owner

Copy Link

@nomppy commented on GitHub (Jul 30, 2024):

As an alternative to what @KizzyCode said and @theobjectivedad said about setting the REQUESTS_CA_BUNDLE env + mounting the host store, you can also add the following commands in the Dockerfile

COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/
RUN update-ca-certificates

btw, I also have set

ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \
    REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Note that if you're building with the Dockerfile, you will also need to add the cert for the frontend build stage

<!-- gh-comment-id:2258541791 --> @nomppy commented on GitHub (Jul 30, 2024): As an alternative to what @KizzyCode said and @theobjectivedad said about setting the `REQUESTS_CA_BUNDLE` env + mounting the host store, you can also add the following commands in the Dockerfile ``` COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/ RUN update-ca-certificates ``` btw, I also have set ``` ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ``` Note that if you're building with the Dockerfile, you will also need to add the cert for the frontend `build` stage

GiteaMirror commented 2026-04-19 19:24:55 -05:00

Author

Owner

Copy Link

@christiangierschner commented on GitHub (Aug 6, 2024):

FWIW, you can force python to use the system certificate store via REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt in the environment.

My (trimmed down) docker-compose.yml looks like this:

services:
  openwebui:
    image: ghcr.io/open-webui/open-webui:main
    volumes:
      - /var/containers/openwebui:/app/backend/data:rw
      - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - WEBUI_NAME=compusrv
      - ENABLE_SIGNUP=False
      - ENABLE_COMMUNITY_SHARING=False
      - WEBUI_SESSION_COOKIE_SAME_SITE=strict
      - WEBUI_SESSION_COOKIE_SECURE=True
      - ENABLE_OLLAMA_API=False
      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

where /etc/containers/openwebui/compusrv.crt is simply my self-signed certificate (i.e. you don't even need to build a full truststore, if you don't want to).

Sadly, this does not work for me...

i still get SSL: CERTIFICATE_VERIFY_FAILED if i hit "Continue with OAuth2" on login screen

however if i exec into the container, this works:

>>> import requests
>>> response = requests.get('https://internal-keycloak-url/auth')
>>> print(response)
<Response [200]>

seems like webui is somehow not using the rootca

any ideas?

<!-- gh-comment-id:2271404211 --> @christiangierschner commented on GitHub (Aug 6, 2024): > FWIW, you can force python to use the system certificate store via `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` in the environment. > > My (trimmed down) docker-compose.yml looks like this: > > ```yaml > services: > openwebui: > image: ghcr.io/open-webui/open-webui:main > volumes: > - /var/containers/openwebui:/app/backend/data:rw > - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro > - /etc/timezone:/etc/timezone:ro > - /etc/localtime:/etc/localtime:ro > environment: > - WEBUI_NAME=compusrv > - ENABLE_SIGNUP=False > - ENABLE_COMMUNITY_SHARING=False > - WEBUI_SESSION_COOKIE_SAME_SITE=strict > - WEBUI_SESSION_COOKIE_SECURE=True > - ENABLE_OLLAMA_API=False > - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt > ``` > > where `/etc/containers/openwebui/compusrv.crt` is simply my self-signed certificate (i.e. you don't even need to build a full truststore, if you don't want to). Sadly, this does not work for me... i still get SSL: CERTIFICATE_VERIFY_FAILED if i hit "Continue with OAuth2" on login screen however if i exec into the container, this works: ``` >>> import requests >>> response = requests.get('https://internal-keycloak-url/auth') >>> print(response) <Response [200]> ``` seems like webui is somehow not using the rootca any ideas?

GiteaMirror commented 2026-04-19 19:24:56 -05:00

Author

Owner

Copy Link

@nomppy commented on GitHub (Aug 6, 2024):

What does your compose file look like?

<!-- gh-comment-id:2271809913 --> @nomppy commented on GitHub (Aug 6, 2024): What does your compose file look like?

GiteaMirror commented 2026-04-19 19:24:57 -05:00

Author

Owner

Copy Link

@christiangierschner commented on GitHub (Aug 7, 2024):

services:
  ollama:
    image: ghcr.io/open-webui/open-webui:v0.3.11
    volumes:
      - ollama-webui:/app/backend/data
      - /usr/local/share/ca-certificates/rootca.crt:/etc/ssl/certs/ca-certificates.crt:ro
    environment:
      OLLAMA_BASE_URL: http://ollama-api:11434
      ENABLE_OAUTH_SIGNUP: true
      ENABLE_LOGIN_FORM: false
      ENABLE_SIGNUP: false
      OAUTH_MERGE_ACCOUNTS_BY_EMAIL: true
      OAUTH_USERNAME_CLAIM: name
      OAUTH_CLIENT_ID: ollama
      OAUTH_CLIENT_SECRET:
      OPENID_PROVIDER_URL: https://$KEYCLOAKURL/auth/realms/$REALMNAME/.well-known/openid-configuration
      OAUTH_PROVIDER_NAME: Keycloak
      REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
    extra_hosts:
      - host.docker.internal:host-gateway
    restart: unless-stopped
    networks:
      - backend
      - frontend

    labels:
      - traefik.enable=true
      - traefik.http.routers.ollama.rule=Host(`$HOST_NAME`)
      - traefik.http.routers.ollama.tls.certresolver=internal-acme
      - traefik.http.routers.ollama.service=ollama
      - traefik.http.routers.ollama.entrypoints=https
      - traefik.http.services.ollama.loadbalancer.server.port=8080

<!-- gh-comment-id:2272825711 --> @christiangierschner commented on GitHub (Aug 7, 2024): ``` services: ollama: image: ghcr.io/open-webui/open-webui:v0.3.11 volumes: - ollama-webui:/app/backend/data - /usr/local/share/ca-certificates/rootca.crt:/etc/ssl/certs/ca-certificates.crt:ro environment: OLLAMA_BASE_URL: http://ollama-api:11434 ENABLE_OAUTH_SIGNUP: true ENABLE_LOGIN_FORM: false ENABLE_SIGNUP: false OAUTH_MERGE_ACCOUNTS_BY_EMAIL: true OAUTH_USERNAME_CLAIM: name OAUTH_CLIENT_ID: ollama OAUTH_CLIENT_SECRET: OPENID_PROVIDER_URL: https://$KEYCLOAKURL/auth/realms/$REALMNAME/.well-known/openid-configuration OAUTH_PROVIDER_NAME: Keycloak REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt extra_hosts: - host.docker.internal:host-gateway restart: unless-stopped networks: - backend - frontend labels: - traefik.enable=true - traefik.http.routers.ollama.rule=Host(`$HOST_NAME`) - traefik.http.routers.ollama.tls.certresolver=internal-acme - traefik.http.routers.ollama.service=ollama - traefik.http.routers.ollama.entrypoints=https - traefik.http.services.ollama.loadbalancer.server.port=8080

GiteaMirror commented 2026-04-19 19:24:57 -05:00

Author

Owner

Copy Link

@nomppy commented on GitHub (Aug 7, 2024):

Is /usr/local/share/ca-certificates/roocat.crt the complete CA used by your system. If it's just your custom root CA, then you are not giving python any of the usual certs usually present in /etc/ssl/certs/ca-certificates.crt.

Can you try update-ca-certificates on your host and then mapping /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro?

<!-- gh-comment-id:2273772473 --> @nomppy commented on GitHub (Aug 7, 2024): Is `/usr/local/share/ca-certificates/roocat.crt` the complete CA used by your system. If it's just your custom root CA, then you are not giving python any of the usual certs usually present in /etc/ssl/certs/ca-certificates.crt. Can you try `update-ca-certificates` on your host and then mapping `/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro`?

GiteaMirror commented 2026-04-19 19:24:58 -05:00

Author

Owner

Copy Link

@christiangierschner commented on GitHub (Aug 9, 2024):

i tried both...none works
our hosts all have our rootca implmented with update-ca-certificates

i get Internal Server Error and SSL: CERTIFICATE_VERIFY_FAILED

services:
  ollama:
    image: ghcr.io/open-webui/open-webui:v0.3.12
    volumes:
      - ollama-webui:/app/backend/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
      - /usr/local/share/ca-certificates/rootca.crt:/usr/local/share/ca-certificates/rootca.crt
    environment:
      OLLAMA_BASE_URL: http://ollama-api:11434
      ENABLE_OAUTH_SIGNUP: true
      ENABLE_LOGIN_FORM: false
      ENABLE_SIGNUP: false
      OAUTH_MERGE_ACCOUNTS_BY_EMAIL: true
      OAUTH_USERNAME_CLAIM: name
      OAUTH_CLIENT_ID: ollama
      OAUTH_CLIENT_SECRET:
      OPENID_PROVIDER_URL: https://$KEYCLOAKURL/auth/realms/$REALMNAME/.well-known/openid-configuration
      OAUTH_PROVIDER_NAME: Keycloak
      REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
    extra_hosts:
      - host.docker.internal:host-gateway
    restart: unless-stopped
    networks:
      - backend
      - frontend

    labels:
      - traefik.enable=true
      - traefik.http.routers.ollama.rule=Host(`$HOST_NAME`)
      - traefik.http.routers.ollama.tls.certresolver=ukd-internal
      - traefik.http.routers.ollama.service=ollama
      - traefik.http.routers.ollama.entrypoints=https
      - traefik.http.services.ollama.loadbalancer.server.port=8080

<!-- gh-comment-id:2277693712 --> @christiangierschner commented on GitHub (Aug 9, 2024): i tried both...none works our hosts all have our rootca implmented with ```update-ca-certificates``` i get Internal Server Error and SSL: CERTIFICATE_VERIFY_FAILED ``` services: ollama: image: ghcr.io/open-webui/open-webui:v0.3.12 volumes: - ollama-webui:/app/backend/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro - /usr/local/share/ca-certificates/rootca.crt:/usr/local/share/ca-certificates/rootca.crt environment: OLLAMA_BASE_URL: http://ollama-api:11434 ENABLE_OAUTH_SIGNUP: true ENABLE_LOGIN_FORM: false ENABLE_SIGNUP: false OAUTH_MERGE_ACCOUNTS_BY_EMAIL: true OAUTH_USERNAME_CLAIM: name OAUTH_CLIENT_ID: ollama OAUTH_CLIENT_SECRET: OPENID_PROVIDER_URL: https://$KEYCLOAKURL/auth/realms/$REALMNAME/.well-known/openid-configuration OAUTH_PROVIDER_NAME: Keycloak REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt extra_hosts: - host.docker.internal:host-gateway restart: unless-stopped networks: - backend - frontend labels: - traefik.enable=true - traefik.http.routers.ollama.rule=Host(`$HOST_NAME`) - traefik.http.routers.ollama.tls.certresolver=ukd-internal - traefik.http.routers.ollama.service=ollama - traefik.http.routers.ollama.entrypoints=https - traefik.http.services.ollama.loadbalancer.server.port=8080

GiteaMirror commented 2026-04-19 19:24:59 -05:00

Author

Owner

Copy Link

@nomppy commented on GitHub (Aug 9, 2024):

• Can you manually check that /etcssl/certs/ca-certificates.crt contains the cert in rootca.crt?
• How did you obtain rootca.crt?
• Do you can SSL error only when you click login with oAuth, or also for other things? I.e., can you try to log in with username/password and see if you get an error for requests to e.g. OpenAI?

<!-- gh-comment-id:2278305566 --> @nomppy commented on GitHub (Aug 9, 2024): - Can you manually check that `/etcssl/certs/ca-certificates.crt` contains the cert in rootca.crt? - How did you obtain `rootca.crt`? - Do you can SSL error only when you click login with oAuth, or also for other things? I.e., can you try to log in with username/password and see if you get an error for requests to e.g. OpenAI?

GiteaMirror commented 2026-04-19 19:25:00 -05:00

Author

Owner

Copy Link

@bkev commented on GitHub (Aug 10, 2024):

After struggling with this myself, thanks for the pointers in here.

What fixed this for me was

I copied the root.crt (from Caddy) to my Linux device and put it in /usr/local/share/ca-certificates

I then ran sudo update-ca-certificates which said it had added one cert.

After playing about, the only options that seemed to work me for me was adding these to my docker run command

-v /link/to/my/cert.crt:/etc/ssl/certs/ca-certificates.crt:ro

AND
-e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

After that, the Openweb-ui accepted the connections and it worked.

<!-- gh-comment-id:2281581701 --> @bkev commented on GitHub (Aug 10, 2024): After struggling with this myself, thanks for the pointers in here. What fixed this for me was I copied the root.crt (from Caddy) to my Linux device and put it in /usr/local/share/ca-certificates I then ran sudo update-ca-certificates which said it had added one cert. After playing about, the only options that seemed to work me for me was adding these to my docker run command -v /link/to/my/cert.crt:/etc/ssl/certs/ca-certificates.crt:ro AND -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt After that, the Openweb-ui accepted the connections and it worked.

GiteaMirror commented 2026-04-19 19:25:00 -05:00

Author

Owner

Copy Link

@christiangierschner commented on GitHub (Aug 12, 2024):

• Can you manually check that /etcssl/certs/ca-certificates.crt contains the cert in rootca.crt?

  • How did you obtain rootca.crt?

  • Do you can SSL error only when you click login with oAuth, or also for other things? I.e., can you try to log in with username/password and see if you get an error for requests to e.g. OpenAI?

Yes, it contains the cert.
I got it from our rootca server and we use it in all our servers and deployments via ansible. It works.

I only get the error, when i click on login with OAuth. Open-webui then connects to our internal keycloak secured with a signed cert from our rootca.

<!-- gh-comment-id:2284320925 --> @christiangierschner commented on GitHub (Aug 12, 2024): > * Can you manually check that `/etcssl/certs/ca-certificates.crt` contains the cert in rootca.crt? > > * How did you obtain `rootca.crt`? > > * Do you can SSL error only when you click login with oAuth, or also for other things? I.e., can you try to log in with username/password and see if you get an error for requests to e.g. OpenAI? Yes, it contains the cert. I got it from our rootca server and we use it in all our servers and deployments via ansible. It works. I only get the error, when i click on login with OAuth. Open-webui then connects to our internal keycloak secured with a signed cert from our rootca.

GiteaMirror commented 2026-04-19 19:25:01 -05:00

Author

Owner

Copy Link

@ebakoba commented on GitHub (Aug 14, 2024):

@christiangierschner and all the future people struggling with OAuth and custom CA certs.

It was able to deduce from the logs that OAuth does not use requests as its client module, but httpx instead. httpx documentation explains that custom CA certs could be used by using environment variable SSL_CERT_FILE. I was able to resolve my cert issue by adding:

environment:
  # ...
  # other values
  - SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

to docker compose.

<!-- gh-comment-id:2289420421 --> @ebakoba commented on GitHub (Aug 14, 2024): @christiangierschner and all the future people struggling with OAuth and custom CA certs. It was able to deduce from the logs that OAuth does not use `requests` as its client module, but `httpx` instead. `httpx` documentation explains that custom CA certs could be used by using environment variable `SSL_CERT_FILE`. I was able to resolve my cert issue by adding: ```yml environment: # ... # other values - SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt ``` to docker compose.

GiteaMirror commented 2026-04-19 19:25:02 -05:00

Author

Owner

Copy Link

@idling-mind commented on GitHub (Feb 6, 2025):

I had similar problem in testing OWUI in an enterprise setting. What ever I tried, I was unable to connect to openai's api end points. This is what finally fixed my issue. If this looks like a useful solution, i'd be happy to create a pull request.

1. Updated open_webui/routers/openai.py and added the following in the start.

...
import ssl
import certifi
ssl_context = ssl.create_default_context(cafile=os.environ.get("SSL_CERT_FILE", certifi.where()))
...

Then where ever I found a session.get or session.request I added ssl=ssl_context.
2. set the env variable SSL_CERT_FILE to /etc/ssl/certs/ca-bundle.crt

Now I'm able to connect to openai api endpoints.

<!-- gh-comment-id:2639322009 --> @idling-mind commented on GitHub (Feb 6, 2025): I had similar problem in testing OWUI in an enterprise setting. What ever I tried, I was unable to connect to openai's api end points. This is what finally fixed my issue. If this looks like a useful solution, i'd be happy to create a pull request. 1. Updated `open_webui/routers/openai.py` and added the following in the start. ```python ... import ssl import certifi ssl_context = ssl.create_default_context(cafile=os.environ.get("SSL_CERT_FILE", certifi.where())) ... ``` Then where ever I found a `session.get` or `session.request` I added `ssl=ssl_context`. 2. set the env variable `SSL_CERT_FILE` to `/etc/ssl/certs/ca-bundle.crt` Now I'm able to connect to openai api endpoints.

GiteaMirror referenced this issue 2026-04-19 22:30:45 -05:00

[GH-ISSUE #12479] issue: openapi tool payload conversion only uses summary not description #16617

GiteaMirror referenced this issue 2026-04-25 06:02:19 -05:00

[GH-ISSUE #12479] issue: openapi tool payload conversion only uses summary not description #32146

GiteaMirror referenced this issue 2026-05-05 17:24:20 -05:00

[GH-ISSUE #12479] issue: openapi tool payload conversion only uses summary not description #55283

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label help wanted

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#12479