github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #15882] issue: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE for v0.6.16 and above for OpenShift (k8s) FIPS enabled environment #17705

New Issue
Closed
opened 2026-04-19 23:32:12 -05:00 by GiteaMirror · 12 comments
GiteaMirror commented 2026-04-19 23:32:12 -05:00
Owner
Copy Link

Originally created by @jayteaftw on GitHub (Jul 20, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/15882

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.6.16,v0.6.17,v0.6.18

Ollama Version (if applicable)

No response

Operating System

Openshift 4.17.9

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Expect open webui to start like it did in v0.16.15

Actual Behavior

In v0.6.16 and beyond, Open Webui now fails with error crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE

Steps to Reproduce

Within an openshift(k8s) FIPS enabled environment, created a deployment file such as

apiVersion: apps/v1 
kind: Deployment
metadata:
  name: open-webui-deployment
  namespace: open-webui
spec:
  replicas: 1
  selector:
    matchLabels:
      app: open-webui
  template:
    metadata:
      labels:
        app: open-webui
    spec:
      containers:
      - name: open-webui
        image: ghcr.io/open-webui/open-webui:v0.6.16
        resources:
          requests:
            cpu: "2.0"
            memory: "2Gi"
          limits:
            cpu: "4.0"
            memory: "16Gi"

Logs & Screenshots

Loading WEBUI_SECRET_KEY from file, not provided as an environment variable.
Generating WEBUI_SECRET_KEY
Loading WEBUI_SECRET_KEY from .webui_secret_key
/app/backend/open_webui
/app/backend
/app
INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
INFO  [alembic.runtime.migration] Running upgrade  -> 7e5b5dc7342b, init
INFO  [alembic.runtime.migration] Running upgrade 7e5b5dc7342b -> ca81bd47c050, Add config table
INFO  [alembic.runtime.migration] Running upgrade ca81bd47c050 -> c0fbf31ca0db, Update file table
INFO  [alembic.runtime.migration] Running upgrade c0fbf31ca0db -> 6a39f3d8e55c, Add knowledge table
Creating knowledge table
Migrating data from document table to knowledge table
INFO  [alembic.runtime.migration] Running upgrade 6a39f3d8e55c -> 242a2047eae0, Update chat table
Converting 'chat' column to JSON
Renaming 'chat' column to 'old_chat'
Adding new 'chat' column of type JSON
Dropping 'old_chat' column
INFO  [alembic.runtime.migration] Running upgrade 242a2047eae0 -> 1af9b942657b, Migrate tags
INFO  [alembic.runtime.migration] Running upgrade 1af9b942657b -> 3ab32c4b8f59, Update tags
Primary Key: {'name': None, 'constrained_columns': []}
Unique Constraints: [{'name': 'uq_id_user_id', 'column_names': ['id', 'user_id']}]
Indexes: [{'name': 'tag_id', 'column_names': ['id'], 'unique': 1, 'dialect_options': {}}]
Creating new primary key with 'id' and 'user_id'.
Dropping unique constraint: uq_id_user_id
Dropping unique index: tag_id
INFO  [alembic.runtime.migration] Running upgrade 3ab32c4b8f59 -> c69f45358db4, Add folder table
INFO  [alembic.runtime.migration] Running upgrade c69f45358db4 -> c29facfe716b, Update file table path
INFO  [alembic.runtime.migration] Running upgrade c29facfe716b -> af906e964978, Add feedback table
INFO  [alembic.runtime.migration] Running upgrade af906e964978 -> 4ace53fd72c8, Update folder table and change DateTime to BigInteger for timestamp fields
INFO  [alembic.runtime.migration] Running upgrade 4ace53fd72c8 -> 922e7a387820, Add group table
INFO  [alembic.runtime.migration] Running upgrade 922e7a387820 -> 57c599a3cb57, Add channel table
INFO  [alembic.runtime.migration] Running upgrade 57c599a3cb57 -> 7826ab40b532, Update file table
INFO  [alembic.runtime.migration] Running upgrade 7826ab40b532 -> 3781e22d8b01, Update message & channel tables
INFO  [alembic.runtime.migration] Running upgrade 3781e22d8b01 -> 9f0c9cd09105, Add note table
INFO  [alembic.runtime.migration] Running upgrade 9f0c9cd09105 -> d31026856c01, Update folder table data
WARNI [open_webui.env] 

WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.

INFO  [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2
ERROR [chromadb.telemetry.product.posthog] Failed to send telemetry event ClientStartEvent: capture() takes 1 positional argument but 3 were given
WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests.

 ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
██║   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗��█║   ██║██║
╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
 ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝


v0.6.16 - building the best AI user interface.

https://github.com/open-webui/open-webui

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE

Additional Information

I noticed that the cryptography package was added in v0.6.16. Could that be causing the issue?

Originally created by @jayteaftw on GitHub (Jul 20, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/15882 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.6.16,v0.6.17,v0.6.18 ### Ollama Version (if applicable) _No response_ ### Operating System Openshift 4.17.9 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Expect open webui to start like it did in v0.16.15 ### Actual Behavior In v0.6.16 and beyond, Open Webui now fails with error `crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE` ### Steps to Reproduce Within an openshift(k8s) FIPS enabled environment, created a deployment file such as ``` apiVersion: apps/v1 kind: Deployment metadata: name: open-webui-deployment namespace: open-webui spec: replicas: 1 selector: matchLabels: app: open-webui template: metadata: labels: app: open-webui spec: containers: - name: open-webui image: ghcr.io/open-webui/open-webui:v0.6.16 resources: requests: cpu: "2.0" memory: "2Gi" limits: cpu: "4.0" memory: "16Gi" ``` ### Logs & Screenshots ``` Loading WEBUI_SECRET_KEY from file, not provided as an environment variable. Generating WEBUI_SECRET_KEY Loading WEBUI_SECRET_KEY from .webui_secret_key /app/backend/open_webui /app/backend /app INFO [alembic.runtime.migration] Context impl SQLiteImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [alembic.runtime.migration] Running upgrade -> 7e5b5dc7342b, init INFO [alembic.runtime.migration] Running upgrade 7e5b5dc7342b -> ca81bd47c050, Add config table INFO [alembic.runtime.migration] Running upgrade ca81bd47c050 -> c0fbf31ca0db, Update file table INFO [alembic.runtime.migration] Running upgrade c0fbf31ca0db -> 6a39f3d8e55c, Add knowledge table Creating knowledge table Migrating data from document table to knowledge table INFO [alembic.runtime.migration] Running upgrade 6a39f3d8e55c -> 242a2047eae0, Update chat table Converting 'chat' column to JSON Renaming 'chat' column to 'old_chat' Adding new 'chat' column of type JSON Dropping 'old_chat' column INFO [alembic.runtime.migration] Running upgrade 242a2047eae0 -> 1af9b942657b, Migrate tags INFO [alembic.runtime.migration] Running upgrade 1af9b942657b -> 3ab32c4b8f59, Update tags Primary Key: {'name': None, 'constrained_columns': []} Unique Constraints: [{'name': 'uq_id_user_id', 'column_names': ['id', 'user_id']}] Indexes: [{'name': 'tag_id', 'column_names': ['id'], 'unique': 1, 'dialect_options': {}}] Creating new primary key with 'id' and 'user_id'. Dropping unique constraint: uq_id_user_id Dropping unique index: tag_id INFO [alembic.runtime.migration] Running upgrade 3ab32c4b8f59 -> c69f45358db4, Add folder table INFO [alembic.runtime.migration] Running upgrade c69f45358db4 -> c29facfe716b, Update file table path INFO [alembic.runtime.migration] Running upgrade c29facfe716b -> af906e964978, Add feedback table INFO [alembic.runtime.migration] Running upgrade af906e964978 -> 4ace53fd72c8, Update folder table and change DateTime to BigInteger for timestamp fields INFO [alembic.runtime.migration] Running upgrade 4ace53fd72c8 -> 922e7a387820, Add group table INFO [alembic.runtime.migration] Running upgrade 922e7a387820 -> 57c599a3cb57, Add channel table INFO [alembic.runtime.migration] Running upgrade 57c599a3cb57 -> 7826ab40b532, Update file table INFO [alembic.runtime.migration] Running upgrade 7826ab40b532 -> 3781e22d8b01, Update message & channel tables INFO [alembic.runtime.migration] Running upgrade 3781e22d8b01 -> 9f0c9cd09105, Add note table INFO [alembic.runtime.migration] Running upgrade 9f0c9cd09105 -> d31026856c01, Update folder table data WARNI [open_webui.env] WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS. INFO [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2 ERROR [chromadb.telemetry.product.posthog] Failed to send telemetry event ClientStartEvent: capture() takes 1 positional argument but 3 were given WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests. ██████╗ ██████╗ ███████╗███╗ ██╗ ██╗ ██╗███████╗██████╗ ██╗ ██╗██╗ ██╔═══██╗██╔══██╗██╔════╝████╗ ██║ ██║ ██║██╔════╝██╔══██╗██║ ██║██║ ██║ ██║██████╔╝█████╗ ██╔██╗ ██║ ██║ █╗ ██║█████╗ ██████╔╝██║ ██║██║ ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║███╗██║██╔══╝ ██╔══██╗��█║ ██║██║ ╚██████╔╝██║ ███████╗██║ ╚████║ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═╝ v0.6.16 - building the best AI user interface. https://github.com/open-webui/open-webui crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE ``` ### Additional Information I noticed that the cryptography package was added in v0.6.16. Could that be causing the issue?
GiteaMirror added the bug label 2026-04-19 23:32:12 -05:00
GiteaMirror commented 2026-04-19 23:32:16 -05:00
Author
Owner
Copy Link

@jayteaftw commented on GitHub (Jul 20, 2025):

Okay I have added OPENSSL_FORCE_FIPS_MODE=0, and open webui successfully started. However this means FIPS has been disabled which is not a working solution

After retesting this, I could not reproduce the results I claimed.

<!-- gh-comment-id:3093149418 --> @jayteaftw commented on GitHub (Jul 20, 2025): ~~Okay I have added OPENSSL_FORCE_FIPS_MODE=0, and open webui successfully started. However this means FIPS has been disabled which is not a working solution~~ After retesting this, I could not reproduce the results I claimed.
GiteaMirror commented 2026-04-19 23:32:17 -05:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Jul 20, 2025):

The chromadb issue due to posthog recent update was fixed in v0.6.17

could you post the error log but with image: ghcr.io/open-webui/open-webui:v0.6.17 or image: ghcr.io/open-webui/open-webui:v0.6.18 ?

<!-- gh-comment-id:3094209614 --> @rgaricano commented on GitHub (Jul 20, 2025): The chromadb issue due to posthog recent update was fixed in v0.6.17 could you post the error log but with image: ghcr.io/open-webui/open-webui:v0.6.17 or image: ghcr.io/open-webui/open-webui:v0.6.18 ?
GiteaMirror commented 2026-04-19 23:32:18 -05:00
Author
Owner
Copy Link

@jayteaftw commented on GitHub (Jul 20, 2025):

I tested both v.0.6.17 and v0.6.18 before posting but here are the logs for v.0.6.18

Loading WEBUI_SECRET_KEY from file, not provided as an environment variable.
Generating WEBUI_SECRET_KEY
Loading WEBUI_SECRET_KEY from .webui_secret_key
/app/backend/open_webui
/app/backend
/app
INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
INFO  [alembic.runtime.migration] Running upgrade  -> 7e5b5dc7342b, init
INFO  [alembic.runtime.migration] Running upgrade 7e5b5dc7342b -> ca81bd47c050, Add config table
INFO  [alembic.runtime.migration] Running upgrade ca81bd47c050 -> c0fbf31ca0db, Update file table
INFO  [alembic.runtime.migration] Running upgrade c0fbf31ca0db -> 6a39f3d8e55c, Add knowledge table
Creating knowledge table
Migrating data from document table to knowledge table
INFO  [alembic.runtime.migration] Running upgrade 6a39f3d8e55c -> 242a2047eae0, Update chat table
Converting 'chat' column to JSON
Renaming 'chat' column to 'old_chat'
Adding new 'chat' column of type JSON
Dropping 'old_chat' column
INFO  [alembic.runtime.migration] Running upgrade 242a2047eae0 -> 1af9b942657b, Migrate tags
INFO  [alembic.runtime.migration] Running upgrade 1af9b942657b -> 3ab32c4b8f59, Update tags
Primary Key: {'name': None, 'constrained_columns': []}
Unique Constraints: [{'name': 'uq_id_user_id', 'column_names': ['id', 'user_id']}]
Indexes: [{'name': 'tag_id', 'column_names': ['id'], 'unique': 1, 'dialect_options': {}}]
Creating new primary key with 'id' and 'user_id'.
Dropping unique constraint: uq_id_user_id
Dropping unique index: tag_id
INFO  [alembic.runtime.migration] Running upgrade 3ab32c4b8f59 -> c69f45358db4, Add folder table
INFO  [alembic.runtime.migration] Running upgrade c69f45358db4 -> c29facfe716b, Update file table path
INFO  [alembic.runtime.migration] Running upgrade c29facfe716b -> af906e964978, Add feedback table
INFO  [alembic.runtime.migration] Running upgrade af906e964978 -> 4ace53fd72c8, Update folder table and change DateTime to BigInteger for timestamp fields
INFO  [alembic.runtime.migration] Running upgrade 4ace53fd72c8 -> 922e7a387820, Add group table
INFO  [alembic.runtime.migration] Running upgrade 922e7a387820 -> 57c599a3cb57, Add channel table
INFO  [alembic.runtime.migration] Running upgrade 57c599a3cb57 -> 7826ab40b532, Update file table
INFO  [alembic.runtime.migration] Running upgrade 7826ab40b532 -> 3781e22d8b01, Update message & channel tables
INFO  [alembic.runtime.migration] Running upgrade 3781e22d8b01 -> 9f0c9cd09105, Add note table
INFO  [alembic.runtime.migration] Running upgrade 9f0c9cd09105 -> d31026856c01, Update folder table data
WARNI [open_webui.env] 

WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.

INFO  [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2
WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests.

 ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
██â���‘   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║
╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
 ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝


v0.6.18 - building the best AI user interface.

https://github.com/open-webui/open-webui

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
<!-- gh-comment-id:3094795057 --> @jayteaftw commented on GitHub (Jul 20, 2025): I tested both v.0.6.17 and v0.6.18 before posting but here are the logs for v.0.6.18 ``` Loading WEBUI_SECRET_KEY from file, not provided as an environment variable. Generating WEBUI_SECRET_KEY Loading WEBUI_SECRET_KEY from .webui_secret_key /app/backend/open_webui /app/backend /app INFO [alembic.runtime.migration] Context impl SQLiteImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [alembic.runtime.migration] Running upgrade -> 7e5b5dc7342b, init INFO [alembic.runtime.migration] Running upgrade 7e5b5dc7342b -> ca81bd47c050, Add config table INFO [alembic.runtime.migration] Running upgrade ca81bd47c050 -> c0fbf31ca0db, Update file table INFO [alembic.runtime.migration] Running upgrade c0fbf31ca0db -> 6a39f3d8e55c, Add knowledge table Creating knowledge table Migrating data from document table to knowledge table INFO [alembic.runtime.migration] Running upgrade 6a39f3d8e55c -> 242a2047eae0, Update chat table Converting 'chat' column to JSON Renaming 'chat' column to 'old_chat' Adding new 'chat' column of type JSON Dropping 'old_chat' column INFO [alembic.runtime.migration] Running upgrade 242a2047eae0 -> 1af9b942657b, Migrate tags INFO [alembic.runtime.migration] Running upgrade 1af9b942657b -> 3ab32c4b8f59, Update tags Primary Key: {'name': None, 'constrained_columns': []} Unique Constraints: [{'name': 'uq_id_user_id', 'column_names': ['id', 'user_id']}] Indexes: [{'name': 'tag_id', 'column_names': ['id'], 'unique': 1, 'dialect_options': {}}] Creating new primary key with 'id' and 'user_id'. Dropping unique constraint: uq_id_user_id Dropping unique index: tag_id INFO [alembic.runtime.migration] Running upgrade 3ab32c4b8f59 -> c69f45358db4, Add folder table INFO [alembic.runtime.migration] Running upgrade c69f45358db4 -> c29facfe716b, Update file table path INFO [alembic.runtime.migration] Running upgrade c29facfe716b -> af906e964978, Add feedback table INFO [alembic.runtime.migration] Running upgrade af906e964978 -> 4ace53fd72c8, Update folder table and change DateTime to BigInteger for timestamp fields INFO [alembic.runtime.migration] Running upgrade 4ace53fd72c8 -> 922e7a387820, Add group table INFO [alembic.runtime.migration] Running upgrade 922e7a387820 -> 57c599a3cb57, Add channel table INFO [alembic.runtime.migration] Running upgrade 57c599a3cb57 -> 7826ab40b532, Update file table INFO [alembic.runtime.migration] Running upgrade 7826ab40b532 -> 3781e22d8b01, Update message & channel tables INFO [alembic.runtime.migration] Running upgrade 3781e22d8b01 -> 9f0c9cd09105, Add note table INFO [alembic.runtime.migration] Running upgrade 9f0c9cd09105 -> d31026856c01, Update folder table data WARNI [open_webui.env] WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS. INFO [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2 WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests. ██████╗ ██████╗ ███████╗███╗ ██╗ ██╗ ██╗███████╗██████╗ ██╗ ██╗██╗ ██╔═══██╗██╔══██╗██╔════╝████╗ ██║ ██║ ██║██╔════╝██╔══██╗██║ ██║██║ ██â���‘ ██║██████╔╝█████╗ ██╔██╗ ██║ ██║ █╗ ██║█████╗ ██████╔╝██║ ██║██║ ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ ╚██████╔╝██║ ███████╗██║ ╚████║ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═╝ v0.6.18 - building the best AI user interface. https://github.com/open-webui/open-webui crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE ```
GiteaMirror commented 2026-04-19 23:32:19 -05:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Jul 20, 2025):

I was searching about and there some workaround that you can try,

  • be sure that env var GOFIPS=1 is setted (prefererly before install open-webui or pull image ( e.g. add -e GOFIPS=1 to docker line)
  • try uninstallinng cryptogrphy pip uninstall cryptography -y

I would try one and then the other.

Another source of problems with FIPS is when installing Python with FIPS disabled, it may also be necessary to rebuild Docker/package, ensuring that FIPS is enabled.

(sorry but I haven't any FIPS enviroment to try)
(I would appreciate your feedback if you get any results.)

<!-- gh-comment-id:3094849693 --> @rgaricano commented on GitHub (Jul 20, 2025): I was searching about and there some workaround that you can try, - be sure that env var GOFIPS=1 is setted (prefererly before install open-webui or pull image ( e.g. add -`e GOFIPS=1` to docker line) - try uninstallinng cryptogrphy `pip uninstall cryptography -y` I would try one and then the other. Another source of problems with FIPS is when installing Python with FIPS disabled, it may also be necessary to rebuild Docker/package, ensuring that FIPS is enabled. (sorry but I haven't any FIPS enviroment to try) (I would appreciate your feedback if you get any results.)
GiteaMirror commented 2026-04-19 23:32:20 -05:00
Author
Owner
Copy Link

@jayteaftw commented on GitHub (Jul 21, 2025):

GOFIPS=1 did not work.
After uninstalling cryptography, open webui errors out

Found existing installation: cryptography 45.0.5
Uninstalling cryptography-45.0.5:
  Successfully uninstalled cryptography-45.0.5
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
Loading WEBUI_SECRET_KEY from file, not provided as an environment variable.
Generating WEBUI_SECRET_KEY
Loading WEBUI_SECRET_KEY from .webui_secret_key
/app/backend/open_webui
/app/backend
/app
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/local/lib/python3.11/site-packages/uvicorn/__main__.py", line 4, in <module>
    uvicorn.main()
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1442, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1363, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1226, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 794, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 413, in main
    run(
  File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 580, in run
    server.run()
  File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 67, in run
    return asyncio.run(self.serve(sockets=sockets))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "uvloop/loop.pyx", line 1518, in uvloop.loop.Loop.run_until_complete
  File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 71, in serve
    await self._serve(sockets)
  File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 78, in _serve
    config.load()
  File "/usr/local/lib/python3.11/site-packages/uvicorn/config.py", line 436, in load
    self.loaded_app = import_from_string(self.app)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 22, in import_from_string
    raise exc from None
  File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 19, in import_from_string
    module = importlib.import_module(module_str)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/app/backend/open_webui/main.py", line 57, in <module>
    from open_webui.socket.main import (
  File "/app/backend/open_webui/socket/main.py", line 13, in <module>
    from open_webui.models.channels import Channels
  File "/app/backend/open_webui/models/channels.py", line 7, in <module>
    from open_webui.utils.access_control import has_access
  File "/app/backend/open_webui/utils/access_control.py", line 6, in <module>
    from open_webui.config import DEFAULT_USER_PERMISSIONS
  File "/app/backend/open_webui/config.py", line 16, in <module>
    from authlib.integrations.starlette_client import OAuth
  File "/usr/local/lib/python3.11/site-packages/authlib/integrations/starlette_client/__init__.py", line 3, in <module>
    from ..base_client import BaseOAuth, OAuthError
  File "/usr/local/lib/python3.11/site-packages/authlib/integrations/base_client/__init__.py", line 3, in <module>
    from .sync_openid import OpenIDMixin
  File "/usr/local/lib/python3.11/site-packages/authlib/integrations/base_client/sync_openid.py", line 1, in <module>
    from authlib.jose import jwt, JsonWebToken, JsonWebKey
  File "/usr/local/lib/python3.11/site-packages/authlib/jose/__init__.py", line 14, in <module>
    from .rfc7517 import Key, KeySet, JsonWebKey
  File "/usr/local/lib/python3.11/site-packages/authlib/jose/rfc7517/__init__.py", line 10, in <module>
    from ._cryptography_key import load_pem_key
  File "/usr/local/lib/python3.11/site-packages/authlib/jose/rfc7517/_cryptography_key.py", line 1, in <module>
    from cryptography.x509 import load_pem_x509_certificate
ModuleNotFoundError: No module named 'cryptography'

I also tried uninstall and reinstalling on the FIPS enabled system and it did not work.

command: ["bash", "-c"]
      args:
        - "pip uninstall cryptography -y &&  pip install --no-cache-dir cryptography && bash start.sh"

Found existing installation: cryptography 45.0.5
Uninstalling cryptography-45.0.5:
  Successfully uninstalled cryptography-45.0.5
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
Collecting cryptography
  Downloading cryptography-45.0.5-cp311-abi3-manylinux_2_34_x86_64.whl.metadata (5.7 kB)
Requirement already satisfied: cffi>=1.14 in /usr/local/lib/python3.11/site-packages (from cryptography) (1.17.1)
Requirement already satisfied: pycparser in /usr/local/lib/python3.11/site-packages (from cffi>=1.14->cryptography) (2.22)
Downloading cryptography-45.0.5-cp311-abi3-manylinux_2_34_x86_64.whl (4.5 MB)
[?25l   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/4.5 MB ? eta -:--:--
   ━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.3/4.5 MB 8.7 MB/s eta 0:00:01
   ━━━━━━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.7/4.5 MB 10.4 MB/s eta 0:00:01
   ━━━━━━━━━━╺━━━━━━━━━━━━━━â���â”â”â”â”â”â”â”â”â”â”â”â”â”â” 1.1/4.5 MB 10.9 MB/s eta 0:00:01
   ━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.5/4.5 MB 11.2 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━━━━━ 1.9/4.5 MB 11.3 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━ 2.3/4.5 MB 11.4 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━ 2.7/4.5 MB 11.4 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━ 3.2/4.5 MB 11.5 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━ 3.6/4.5 MB 11.6 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━ 4.0/4.5 MB 11.6 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸ 4.4/4.5 MB 11.7 MB/s eta 0:00:01
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.5/4.5 MB 11.6 MB/s eta 0:00:00
[?25hInstalling collected packages: cryptography
Successfully installed cryptography-45.0.5
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip is available: 24.0 -> 25.1.1
[notice] To update, run: pip install --upgrade pip
Loading WEBUI_SECRET_KEY from file, not provided as an environment variable.
Generating WEBUI_SECRET_KEY
Loading WEBUI_SECRET_KEY from .webui_secret_key
/app/backend/open_webui
/app/backend
/app
INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
INFO  [alembic.runtime.migration] Running upgrade  -> 7e5b5dc7342b, init
INFO  [alembic.runtime.migration] Running upgrade 7e5b5dc7342b -> ca81bd47c050, Add config table
INFO  [alembic.runtime.migration] Running upgrade ca81bd47c050 -> c0fbf31ca0db, Update file table
INFO  [alembic.runtime.migration] Running upgrade c0fbf31ca0db -> 6a39f3d8e55c, Add knowledge table
Creating knowledge table
Migrating data from document table to knowledge table
INFO  [alembic.runtime.migration] Running upgrade 6a39f3d8e55c -> 242a2047eae0, Update chat table
Converting 'chat' column to JSON
Renaming 'chat' column to 'old_chat'
Adding new 'chat' column of type JSON
Dropping 'old_chat' column
INFO  [alembic.runtime.migration] Running upgrade 242a2047eae0 -> 1af9b942657b, Migrate tags
INFO  [alembic.runtime.migration] Running upgrade 1af9b942657b -> 3ab32c4b8f59, Update tags
Primary Key: {'name': None, 'constrained_columns': []}
Unique Constraints: [{'name': 'uq_id_user_id', 'column_names': ['id', 'user_id']}]
Indexes: [{'name': 'tag_id', 'column_names': ['id'], 'unique': 1, 'dialect_options': {}}]
Creating new primary key with 'id' and 'user_id'.
Dropping unique constraint: uq_id_user_id
Dropping unique index: tag_id
INFO  [alembic.runtime.migration] Running upgrade 3ab32c4b8f59 -> c69f45358db4, Add folder table
INFO  [alembic.runtime.migration] Running upgrade c69f45358db4 -> c29facfe716b, Update file table path
INFO  [alembic.runtime.migration] Running upgrade c29facfe716b -> af906e964978, Add feedback table
INFO  [alembic.runtime.migration] Running upgrade af906e964978 -> 4ace53fd72c8, Update folder table and change DateTime to BigInteger for timestamp fields
INFO  [alembic.runtime.migration] Running upgrade 4ace53fd72c8 -> 922e7a387820, Add group table
INFO  [alembic.runtime.migration] Running upgrade 922e7a387820 -> 57c599a3cb57, Add channel table
INFO  [alembic.runtime.migration] Running upgrade 57c599a3cb57 -> 7826ab40b532, Update file table
INFO  [alembic.runtime.migration] Running upgrade 7826ab40b532 -> 3781e22d8b01, Update message & channel tables
INFO  [alembic.runtime.migration] Running upgrade 3781e22d8b01 -> 9f0c9cd09105, Add note table
INFO  [alembic.runtime.migration] Running upgrade 9f0c9cd09105 -> d31026856c01, Update folder table data
WARNI [open_webui.env] 

WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.

INFO  [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2
WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests.

 ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
██║   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║
╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
 ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝


v0.6.18 - building the best AI user interface.

https://github.com/open-webui/open-webui

crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
<!-- gh-comment-id:3095414495 --> @jayteaftw commented on GitHub (Jul 21, 2025): GOFIPS=1 did not work. After uninstalling cryptography, open webui errors out ``` Found existing installation: cryptography 45.0.5 Uninstalling cryptography-45.0.5: Successfully uninstalled cryptography-45.0.5 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv Loading WEBUI_SECRET_KEY from file, not provided as an environment variable. Generating WEBUI_SECRET_KEY Loading WEBUI_SECRET_KEY from .webui_secret_key /app/backend/open_webui /app/backend /app Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/local/lib/python3.11/site-packages/uvicorn/__main__.py", line 4, in <module> uvicorn.main() File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1442, in __call__ return self.main(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1363, in main rv = self.invoke(ctx) ^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1226, in invoke return ctx.invoke(self.callback, **ctx.params) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 794, in invoke return callback(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 413, in main run( File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 580, in run server.run() File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 67, in run return asyncio.run(self.serve(sockets=sockets)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run return runner.run(main) ^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run return self._loop.run_until_complete(task) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "uvloop/loop.pyx", line 1518, in uvloop.loop.Loop.run_until_complete File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 71, in serve await self._serve(sockets) File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 78, in _serve config.load() File "/usr/local/lib/python3.11/site-packages/uvicorn/config.py", line 436, in load self.loaded_app = import_from_string(self.app) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 22, in import_from_string raise exc from None File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 19, in import_from_string module = importlib.import_module(module_str) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen importlib._bootstrap>", line 1204, in _gcd_import File "<frozen importlib._bootstrap>", line 1176, in _find_and_load File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 690, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 940, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/app/backend/open_webui/main.py", line 57, in <module> from open_webui.socket.main import ( File "/app/backend/open_webui/socket/main.py", line 13, in <module> from open_webui.models.channels import Channels File "/app/backend/open_webui/models/channels.py", line 7, in <module> from open_webui.utils.access_control import has_access File "/app/backend/open_webui/utils/access_control.py", line 6, in <module> from open_webui.config import DEFAULT_USER_PERMISSIONS File "/app/backend/open_webui/config.py", line 16, in <module> from authlib.integrations.starlette_client import OAuth File "/usr/local/lib/python3.11/site-packages/authlib/integrations/starlette_client/__init__.py", line 3, in <module> from ..base_client import BaseOAuth, OAuthError File "/usr/local/lib/python3.11/site-packages/authlib/integrations/base_client/__init__.py", line 3, in <module> from .sync_openid import OpenIDMixin File "/usr/local/lib/python3.11/site-packages/authlib/integrations/base_client/sync_openid.py", line 1, in <module> from authlib.jose import jwt, JsonWebToken, JsonWebKey File "/usr/local/lib/python3.11/site-packages/authlib/jose/__init__.py", line 14, in <module> from .rfc7517 import Key, KeySet, JsonWebKey File "/usr/local/lib/python3.11/site-packages/authlib/jose/rfc7517/__init__.py", line 10, in <module> from ._cryptography_key import load_pem_key File "/usr/local/lib/python3.11/site-packages/authlib/jose/rfc7517/_cryptography_key.py", line 1, in <module> from cryptography.x509 import load_pem_x509_certificate ModuleNotFoundError: No module named 'cryptography' ``` I also tried uninstall and reinstalling on the FIPS enabled system and it did not work. ``` command: ["bash", "-c"] args: - "pip uninstall cryptography -y && pip install --no-cache-dir cryptography && bash start.sh" ``` ``` Found existing installation: cryptography 45.0.5 Uninstalling cryptography-45.0.5: Successfully uninstalled cryptography-45.0.5 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv Collecting cryptography Downloading cryptography-45.0.5-cp311-abi3-manylinux_2_34_x86_64.whl.metadata (5.7 kB) Requirement already satisfied: cffi>=1.14 in /usr/local/lib/python3.11/site-packages (from cryptography) (1.17.1) Requirement already satisfied: pycparser in /usr/local/lib/python3.11/site-packages (from cffi>=1.14->cryptography) (2.22) Downloading cryptography-45.0.5-cp311-abi3-manylinux_2_34_x86_64.whl (4.5 MB) [?25l ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/4.5 MB ? eta -:--:--  ━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.3/4.5 MB 8.7 MB/s eta 0:00:01  ━━━━━━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.7/4.5 MB 10.4 MB/s eta 0:00:01  ━━━━━━━━━━╺━━━━━━━━━━━━━━â���â”â”â”â”â”â”â”â”â”â”â”â”â”â” 1.1/4.5 MB 10.9 MB/s eta 0:00:01  ━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.5/4.5 MB 11.2 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━━━━━ 1.9/4.5 MB 11.3 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━ 2.3/4.5 MB 11.4 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━ 2.7/4.5 MB 11.4 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━ 3.2/4.5 MB 11.5 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╺━━━━━━━ 3.6/4.5 MB 11.6 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━ 4.0/4.5 MB 11.6 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸ 4.4/4.5 MB 11.7 MB/s eta 0:00:01  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.5/4.5 MB 11.6 MB/s eta 0:00:00 [?25hInstalling collected packages: cryptography Successfully installed cryptography-45.0.5 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv  [notice] A new release of pip is available: 24.0 -> 25.1.1 [notice] To update, run: pip install --upgrade pip Loading WEBUI_SECRET_KEY from file, not provided as an environment variable. Generating WEBUI_SECRET_KEY Loading WEBUI_SECRET_KEY from .webui_secret_key /app/backend/open_webui /app/backend /app INFO [alembic.runtime.migration] Context impl SQLiteImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [alembic.runtime.migration] Running upgrade -> 7e5b5dc7342b, init INFO [alembic.runtime.migration] Running upgrade 7e5b5dc7342b -> ca81bd47c050, Add config table INFO [alembic.runtime.migration] Running upgrade ca81bd47c050 -> c0fbf31ca0db, Update file table INFO [alembic.runtime.migration] Running upgrade c0fbf31ca0db -> 6a39f3d8e55c, Add knowledge table Creating knowledge table Migrating data from document table to knowledge table INFO [alembic.runtime.migration] Running upgrade 6a39f3d8e55c -> 242a2047eae0, Update chat table Converting 'chat' column to JSON Renaming 'chat' column to 'old_chat' Adding new 'chat' column of type JSON Dropping 'old_chat' column INFO [alembic.runtime.migration] Running upgrade 242a2047eae0 -> 1af9b942657b, Migrate tags INFO [alembic.runtime.migration] Running upgrade 1af9b942657b -> 3ab32c4b8f59, Update tags Primary Key: {'name': None, 'constrained_columns': []} Unique Constraints: [{'name': 'uq_id_user_id', 'column_names': ['id', 'user_id']}] Indexes: [{'name': 'tag_id', 'column_names': ['id'], 'unique': 1, 'dialect_options': {}}] Creating new primary key with 'id' and 'user_id'. Dropping unique constraint: uq_id_user_id Dropping unique index: tag_id INFO [alembic.runtime.migration] Running upgrade 3ab32c4b8f59 -> c69f45358db4, Add folder table INFO [alembic.runtime.migration] Running upgrade c69f45358db4 -> c29facfe716b, Update file table path INFO [alembic.runtime.migration] Running upgrade c29facfe716b -> af906e964978, Add feedback table INFO [alembic.runtime.migration] Running upgrade af906e964978 -> 4ace53fd72c8, Update folder table and change DateTime to BigInteger for timestamp fields INFO [alembic.runtime.migration] Running upgrade 4ace53fd72c8 -> 922e7a387820, Add group table INFO [alembic.runtime.migration] Running upgrade 922e7a387820 -> 57c599a3cb57, Add channel table INFO [alembic.runtime.migration] Running upgrade 57c599a3cb57 -> 7826ab40b532, Update file table INFO [alembic.runtime.migration] Running upgrade 7826ab40b532 -> 3781e22d8b01, Update message & channel tables INFO [alembic.runtime.migration] Running upgrade 3781e22d8b01 -> 9f0c9cd09105, Add note table INFO [alembic.runtime.migration] Running upgrade 9f0c9cd09105 -> d31026856c01, Update folder table data WARNI [open_webui.env] WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS. INFO [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2 WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests. ██████╗ ██████╗ ███████╗███╗ ██╗ ██╗ ██╗███████╗██████╗ ██╗ ██╗██╗ ██╔═══██╗██╔══██╗██╔════╝████╗ ██║ ██║ ██║██╔════╝██╔══██╗██║ ██║██║ ██║ ██║██████╔╝█████╗ ██╔██╗ ██║ ██║ █╗ ██║█████╗ ██████╔╝██║ ██║██║ ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ ╚██████╔╝██║ ███████╗██║ ╚████║ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═╝ v0.6.18 - building the best AI user interface. https://github.com/open-webui/open-webui crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE ```
GiteaMirror commented 2026-04-19 23:32:21 -05:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Jul 21, 2025):

thanks for test,
could you do another try, just to be sure: pip install -U cryptography[fips] and try

If not work probably the best solution could be make a specific build similar to:
(but I think that this don't to be necessary as it was working fine before)

name: Build with FIPS

on: [push]

jobs:
  build-with-fips:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      # Install OpenSSL in FIPS mode
      - name: Setup OpenSSL FIPS
        run: |
          apt-get update && apt-get install -y libssl-dev
          
          # Download and compile OpenSSL with FIPS support
          wget https://www.openssl.org/source/openssl-3.0.8.tar.gz
          tar xzf openssl-3.0.8.tar.gz
          cd openssl-3.0.8
          ./Configure --with-fips enable-ssl3-method fips shared linux-x86_64
          make && sudo make install
      
      # Install cryptography with FIPS support
      - name: Setup Python and Cryptography
        run: |
          python3 -m venv venv
          source venv/bin/activate
          pip install --upgrade pip
          pip install --no-cache-dir cryptography[fips]
          
      # Your build steps here
      - name: Build your application
        env:
          OPENSSL_CONF: /usr/local/etc/openssl/openssl.cnf
        run: |
          source venv/bin/activate
          python setup.py bdist_wheel || exit 0
<!-- gh-comment-id:3095638948 --> @rgaricano commented on GitHub (Jul 21, 2025): thanks for test, could you do another try, just to be sure: `pip install -U cryptography[fips]` and try If not work probably the best solution could be make a specific build similar to: (but I think that this don't to be necessary as it was working fine before) ``` name: Build with FIPS on: [push] jobs: build-with-fips: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 # Install OpenSSL in FIPS mode - name: Setup OpenSSL FIPS run: | apt-get update && apt-get install -y libssl-dev # Download and compile OpenSSL with FIPS support wget https://www.openssl.org/source/openssl-3.0.8.tar.gz tar xzf openssl-3.0.8.tar.gz cd openssl-3.0.8 ./Configure --with-fips enable-ssl3-method fips shared linux-x86_64 make && sudo make install # Install cryptography with FIPS support - name: Setup Python and Cryptography run: | python3 -m venv venv source venv/bin/activate pip install --upgrade pip pip install --no-cache-dir cryptography[fips] # Your build steps here - name: Build your application env: OPENSSL_CONF: /usr/local/etc/openssl/openssl.cnf run: | source venv/bin/activate python setup.py bdist_wheel || exit 0 ```
GiteaMirror commented 2026-04-19 23:32:21 -05:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Jul 21, 2025):

Maybe we can continue that discussion in FIPS Compatibility?

<!-- gh-comment-id:3095653374 --> @rgaricano commented on GitHub (Jul 21, 2025): Maybe we can continue that discussion in [FIPS Compatibility](https://github.com/open-webui/open-webui/discussions/15720)?
GiteaMirror commented 2026-04-19 23:32:22 -05:00
Author
Owner
Copy Link

@jayteaftw commented on GitHub (Jul 23, 2025):

thanks for test, could you do another try, just to be sure: pip install -U cryptography[fips] and try

If not work probably the best solution could be make a specific build similar to: (but I think that this don't to be necessary as it was working fine before)

name: Build with FIPS

on: [push]

jobs:
  build-with-fips:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      # Install OpenSSL in FIPS mode
      - name: Setup OpenSSL FIPS
        run: |
          apt-get update && apt-get install -y libssl-dev
          
          # Download and compile OpenSSL with FIPS support
          wget https://www.openssl.org/source/openssl-3.0.8.tar.gz
          tar xzf openssl-3.0.8.tar.gz
          cd openssl-3.0.8
          ./Configure --with-fips enable-ssl3-method fips shared linux-x86_64
          make && sudo make install
      
      # Install cryptography with FIPS support
      - name: Setup Python and Cryptography
        run: |
          python3 -m venv venv
          source venv/bin/activate
          pip install --upgrade pip
          pip install --no-cache-dir cryptography[fips]
          
      # Your build steps here
      - name: Build your application
        env:
          OPENSSL_CONF: /usr/local/etc/openssl/openssl.cnf
        run: |
          source venv/bin/activate
          python setup.py bdist_wheel || exit 0

I tried the pip install -U cryptography[fips] and it did not work but I think that is because crypto package does not have a fips tag. Also tried building a docker image with the requirement.txt file and it fails when import torchaudio

FROM python:3.11-slim-bookworm
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

RUN apt-get update && apt-get install -y \
    perl \
    build-essential \
    sudo \
    zlib1g-dev \
    libssl-dev \
    wget \
    && rm -rf /var/lib/apt/lists/*

RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz
RUN tar xzf openssl-3.0.8.tar.gz
RUN cd openssl-3.0.8 && \
    ./Configure enable-fips shared linux-x86_64 && \
    make && sudo make install

RUN pip install --upgrade pip && \
    pip install --no-cache-dir cryptography[fips]

ENV OPENSSL_CONF=/usr/local/etc/openssl/openssl.cnf

RUN uv pip install --system torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cpu 

RUN uv pip install --system faster-whisper
<!-- gh-comment-id:3105283288 --> @jayteaftw commented on GitHub (Jul 23, 2025): > thanks for test, could you do another try, just to be sure: `pip install -U cryptography[fips]` and try > > If not work probably the best solution could be make a specific build similar to: (but I think that this don't to be necessary as it was working fine before) > > ``` > name: Build with FIPS > > on: [push] > > jobs: > build-with-fips: > runs-on: ubuntu-latest > steps: > - uses: actions/checkout@v2 > > # Install OpenSSL in FIPS mode > - name: Setup OpenSSL FIPS > run: | > apt-get update && apt-get install -y libssl-dev > > # Download and compile OpenSSL with FIPS support > wget https://www.openssl.org/source/openssl-3.0.8.tar.gz > tar xzf openssl-3.0.8.tar.gz > cd openssl-3.0.8 > ./Configure --with-fips enable-ssl3-method fips shared linux-x86_64 > make && sudo make install > > # Install cryptography with FIPS support > - name: Setup Python and Cryptography > run: | > python3 -m venv venv > source venv/bin/activate > pip install --upgrade pip > pip install --no-cache-dir cryptography[fips] > > # Your build steps here > - name: Build your application > env: > OPENSSL_CONF: /usr/local/etc/openssl/openssl.cnf > run: | > source venv/bin/activate > python setup.py bdist_wheel || exit 0 > ``` I tried the pip install -U cryptography[fips] and it did not work but I think that is because crypto package does not have a fips tag. Also tried building a docker image with the requirement.txt file and it fails when import torchaudio ``` FROM python:3.11-slim-bookworm COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ RUN apt-get update && apt-get install -y \ perl \ build-essential \ sudo \ zlib1g-dev \ libssl-dev \ wget \ && rm -rf /var/lib/apt/lists/* RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz RUN tar xzf openssl-3.0.8.tar.gz RUN cd openssl-3.0.8 && \ ./Configure enable-fips shared linux-x86_64 && \ make && sudo make install RUN pip install --upgrade pip && \ pip install --no-cache-dir cryptography[fips] ENV OPENSSL_CONF=/usr/local/etc/openssl/openssl.cnf RUN uv pip install --system torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cpu RUN uv pip install --system faster-whisper ```
GiteaMirror commented 2026-04-19 23:32:23 -05:00
Author
Owner
Copy Link

@icsy7867 commented on GitHub (Jul 24, 2025):

Came here searching for versions...

Though I would like to add that something else is amiss...

I see you are using openshift, which means you are using RHEL? Or some flavor of RHEL?

I dont know what check Open-WebUI is doing, but redhat actually handles most FIPS things in the kernel of the host.

And what do containers share with their host? Yep... the kernel... so if FIPS is enabled on the host and OPENSSL_FORCE_FIPS_MODE=0 lets open-webui run, then I am not sure what that is really doing... Your system/container will still be in FIPS mode, and the kernel should enforce the FIPS 140-2 or 140-3 requirements for the most part.

All this to say, it seems like something wonky is going on here...

However on my k8s cluster running on RHEL9, this does not fix it.

Okay I have added OPENSSL_FORCE_FIPS_MODE=0, and open webui successfully started. However this means FIPS has been disabled which is not a working solution

<!-- gh-comment-id:3111568578 --> @icsy7867 commented on GitHub (Jul 24, 2025): Came here searching for versions... Though I would like to add that something else is amiss... I see you are using openshift, which means you are using RHEL? Or some flavor of RHEL? I dont know what check Open-WebUI is doing, but redhat actually handles most FIPS things in the kernel of the host. And what do containers share with their host? Yep... the kernel... so if FIPS is enabled on the host and OPENSSL_FORCE_FIPS_MODE=0 lets open-webui run, then I am not sure what that is really doing... Your system/container will still be in FIPS mode, and the kernel should enforce the FIPS 140-2 or 140-3 requirements for the most part. All this to say, it seems like something wonky is going on here... However on my k8s cluster running on RHEL9, this does not fix it. > Okay I have added OPENSSL_FORCE_FIPS_MODE=0, and open webui successfully started. However this means FIPS has been disabled which is not a working solution
GiteaMirror commented 2026-04-19 23:32:24 -05:00
Author
Owner
Copy Link

@jayteaftw commented on GitHub (Jul 24, 2025):

Came here searching for versions...

Though I would like to add that something else is amiss...

I see you are using openshift, which means you are using RHEL? Or some flavor of RHEL?

I dont know what check Open-WebUI is doing, but redhat actually handles most FIPS things in the kernel of the host.

And what do containers share with their host? Yep... the kernel... so if FIPS is enabled on the host and OPENSSL_FORCE_FIPS_MODE=0 lets open-webui run, then I am not sure what that is really doing... Your system/container will still be in FIPS mode, and the kernel should enforce the FIPS 140-2 or 140-3 requirements for the most part.

All this to say, it seems like something wonky is going on here...

However on my k8s cluster running on RHEL9, this does not fix it.

Okay I have added OPENSSL_FORCE_FIPS_MODE=0, and open webui successfully started. However this means FIPS has been disabled which is not a working solution

Hey I retested what I claimed and could not get the container to start with OPENSSL_FORCE_FIPS_MODE=0 with versions v0.6.16,17,18. This would make sense since FIPs is kernel level and would not make sense if a pod could simply disable FIPS. However whats interesting is

  1. when I build v0.6.15 on my local machine without FIPS, push it a registry and try to run it in a FIPS environment, it fails to run (which is strange since when v0.6.15 is pulled directly from github it works)
  2. When I try to build v0.6.15 on a FIPS enabled system, i also get the Fatal FIPS error when building.

The latter seems possible but I dont understand the former.

<!-- gh-comment-id:3113907906 --> @jayteaftw commented on GitHub (Jul 24, 2025): > Came here searching for versions... > > Though I would like to add that something else is amiss... > > I see you are using openshift, which means you are using RHEL? Or some flavor of RHEL? > > I dont know what check Open-WebUI is doing, but redhat actually handles most FIPS things in the kernel of the host. > > And what do containers share with their host? Yep... the kernel... so if FIPS is enabled on the host and OPENSSL_FORCE_FIPS_MODE=0 lets open-webui run, then I am not sure what that is really doing... Your system/container will still be in FIPS mode, and the kernel should enforce the FIPS 140-2 or 140-3 requirements for the most part. > > All this to say, it seems like something wonky is going on here... > > However on my k8s cluster running on RHEL9, this does not fix it. > > > Okay I have added OPENSSL_FORCE_FIPS_MODE=0, and open webui successfully started. However this means FIPS has been disabled which is not a working solution Hey I retested what I claimed and could not get the container to start with OPENSSL_FORCE_FIPS_MODE=0 with versions v0.6.16,17,18. This would make sense since FIPs is kernel level and would not make sense if a pod could simply disable FIPS. However whats interesting is 1) when I build v0.6.15 on my local machine without FIPS, push it a registry and try to run it in a FIPS environment, it fails to run (which is strange since when v0.6.15 is pulled directly from github it works) 2) When I try to build v0.6.15 on a FIPS enabled system, i also get the Fatal FIPS error when building. The latter seems possible but I dont understand the former.
GiteaMirror commented 2026-04-19 23:32:25 -05:00
Author
Owner
Copy Link

@smithmh6 commented on GitHub (Aug 1, 2025):

I ran into this same issue, and it has nothing to do with sentence_transformers. I narrowed it down to PyAV, which is being installed by torchvision and torchaudio. PyAV relies on ffmpeg, which is non-FIPS compliant when installed by apt-get and linked to non-FIPS headers.

<!-- gh-comment-id:3145539644 --> @smithmh6 commented on GitHub (Aug 1, 2025): I ran into this same issue, and it has nothing to do with sentence_transformers. I narrowed it down to PyAV, which is being installed by torchvision and torchaudio. PyAV relies on ffmpeg, which is non-FIPS compliant when installed by apt-get and linked to non-FIPS headers.
GiteaMirror commented 2026-04-19 23:32:25 -05:00
Author
Owner
Copy Link

@jayteaftw commented on GitHub (Aug 11, 2025):

Tested v0.6.19 on a FIPS system and it seems to be working!

<!-- gh-comment-id:3175520247 --> @jayteaftw commented on GitHub (Aug 11, 2025): Tested v0.6.19 on a FIPS system and it seems to be working!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#17705
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?