[GH-ISSUE #21293] issue: OpenAI embeddings ignore AIOHTTP_CLIENT_SESSION_SSL=false (SSL verification always enforced) #19433

New Issue

GiteaMirror · 2026-04-20T01:53:09-05:00

GiteaMirror commented

2026-04-20 01:53:09 -05:00

Originally created by @Odko on GitHub (Feb 10, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21293

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.7.2

Ollama Version (if applicable)

No response

Operating System

Linux

Browser (if applicable)

No response

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When AIOHTTP_CLIENT_SESSION_SSL is set to false, all aiohttp-based connections from Open WebUI --- including OpenAI-compatible embedding requests --- should skip SSL certificate verification. This is the documented behavior and works correctly for model listing, chat completions (in routers/openai.py), and Ollama embeddings (in retrieval/utils.py).

Actual Behavior

OpenAI and Azure OpenAI embedding requests always enforce SSL certificate verification regardless of the AIOHTTP_CLIENT_SESSION_SSL setting. The ssl=AIOHTTP_CLIENT_SESSION_SSL parameter is missing from the session.post() calls in agenerate_openai_batch_embeddings and agenerate_azure_openai_batch_embeddings in backend/open_webui/retrieval/utils.py.

Model listing and chat completions to the same HTTPS endpoint work fine because routers/openai.py correctly passes ssl=AIOHTTP_CLIENT_SESSION_SSL. Only the embedding code path fails.

This was partially addressed in #12906, which added the ssl parameter to routers/openai.py, but the same fix was not applied to the embedding functions in retrieval/utils.py.

Steps to Reproduce

Set up an OpenAI-compatible API server with a self-signed HTTPS certificate (e.g., AWS Bedrock Access Gateway with uvicorn --ssl-keyfile / --ssl-certfile, or any OpenAI-compatible server behind self-signed TLS).

Configure Open WebUI with the following environment variables:

AIOHTTP_CLIENT_SESSION_SSL=false
RAG_EMBEDDING_ENGINE=openai
RAG_EMBEDDING_MODEL=<your-model>
RAG_OPENAI_API_BASE_URL=https://<your-server>:<port>/api/v1
RAG_OPENAI_API_KEY=<your-key>
OPENAI_API_BASE_URLS=https://<your-server>:<port>/api/v1
OPENAI_API_KEYS=<your-key>

Start Open WebUI (v0.7.2). Verify that:
- The model list loads successfully in the UI (this confirms routers/openai.py respects AIOHTTP_CLIENT_SESSION_SSL=false).
- Chat completions work normally against the same HTTPS endpoint.
Upload a document to trigger RAG embedding generation.
Observe the SSL error in the logs --- the embedding request fails even though model listing and chat use the same endpoint successfully.

Logs & Screenshots

ERROR | open_webui.retrieval.utils:agenerate_openai_batch_embeddings:613 -
Error generating openai batch embeddings: Cannot connect to host
<OpenAI-compatible API server>:8080 ssl:True
[SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed: self-signed certificate (_ssl.c:1016)')]

Note ssl:True in the error --- this confirms the AIOHTTP_CLIENT_SESSION_SSL=false setting is not being applied to this code path.

Additional Information

No response

Originally created by @Odko on GitHub (Feb 10, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21293 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Linux ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When `AIOHTTP_CLIENT_SESSION_SSL` is set to `false`, all aiohttp-based connections from Open WebUI --- including OpenAI-compatible embedding requests --- should skip SSL certificate verification. This is the documented behavior and works correctly for model listing, chat completions (in [`routers/openai.py`](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/openai.py)), and Ollama embeddings (in [`retrieval/utils.py`](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/utils.py)). ### Actual Behavior OpenAI and Azure OpenAI embedding requests always enforce SSL certificate verification regardless of the `AIOHTTP_CLIENT_SESSION_SSL` setting. The `ssl=AIOHTTP_CLIENT_SESSION_SSL` parameter is missing from the `session.post()` calls in `agenerate_openai_batch_embeddings` and `agenerate_azure_openai_batch_embeddings` in `backend/open_webui/retrieval/utils.py`. Model listing and chat completions to the same HTTPS endpoint work fine because `routers/openai.py` correctly passes `ssl=AIOHTTP_CLIENT_SESSION_SSL`. Only the embedding code path fails. This was partially addressed in #12906, which added the `ssl` parameter to `routers/openai.py`, but the same fix was not applied to the embedding functions in `retrieval/utils.py`. ### Steps to Reproduce 1. Set up an OpenAI-compatible API server with a self-signed HTTPS certificate (e.g., AWS Bedrock Access Gateway with uvicorn `--ssl-keyfile` / `--ssl-certfile`, or any OpenAI-compatible server behind self-signed TLS). 2. Configure Open WebUI with the following environment variables: ``` AIOHTTP_CLIENT_SESSION_SSL=false RAG_EMBEDDING_ENGINE=openai RAG_EMBEDDING_MODEL=<your-model> RAG_OPENAI_API_BASE_URL=https://<your-server>:<port>/api/v1 RAG_OPENAI_API_KEY=<your-key> OPENAI_API_BASE_URLS=https://<your-server>:<port>/api/v1 OPENAI_API_KEYS=<your-key> ``` 3. Start Open WebUI (v0.7.2). Verify that: - The model list loads successfully in the UI (this confirms `routers/openai.py` respects `AIOHTTP_CLIENT_SESSION_SSL=false`). - Chat completions work normally against the same HTTPS endpoint. 4. Upload a document to trigger RAG embedding generation. 5. Observe the SSL error in the logs --- the embedding request fails even though model listing and chat use the same endpoint successfully. ### Logs & Screenshots ``` ERROR | open_webui.retrieval.utils:agenerate_openai_batch_embeddings:613 - Error generating openai batch embeddings: Cannot connect to host <OpenAI-compatible API server>:8080 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1016)')] ``` Note `ssl:True` in the error --- this confirms the `AIOHTTP_CLIENT_SESSION_SSL=false` setting is not being applied to this code path. ### Additional Information _No response_

GiteaMirror added the bug label 2026-04-20 01:53:09 -05:00

GiteaMirror closed this issue

2026-04-20 01:53:10 -05:00

GiteaMirror commented

2026-04-20 01:53:12 -05:00

@tjbck commented on GitHub (Feb 10, 2026):

Should be addressed in dev.

@tjbck commented on GitHub (Feb 10, 2026): Should be addressed in dev.

GiteaMirror referenced this issue

2026-04-25 08:24:06 -05:00

[GH-ISSUE #19433] issue: error while creating an image using openai gpt-image-1 #34409

GiteaMirror referenced this issue