github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 12:58:11 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #18727] issue: open-webui container intercepting all HTTPS requests #34216

New Issue
Closed
opened 2026-04-25 08:07:26 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 08:07:26 -05:00
Owner
Copy Link

Originally created by @oskapt on GitHub (Oct 30, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/18727

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.34

Ollama Version (if applicable)

No response

Operating System

Kubernetes

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

OWUI is failing all outbound SSL connections:

open-webui-0 open-webui aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host api.openai.com:443 ssl:default [[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1016)]

This is confirmed with both openssl and curl within the container:

root@open-webui-0:/app/backend# openssl s_client -connect api.openai.com:443
CONNECTED(00000003)
40B76CEB3A7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

root@open-webui-0:/app/backend# curl https://api.openai.com
curl: (35) OpenSSL/3.0.17: error:0A00010B:SSL routines::wrong version number

The error is anomalous -- the actual problem is that there's an envoy server that's intercepting HTTPS requests to anywhere:

root@open-webui-0:/app/backend# nc -v api.openai.com 443
Connection to api.openai.com (162.159.140.245) 443 port [tcp/https] succeeded!
asdf
HTTP/1.1 400 Bad Request
content-length: 11
content-type: text/plain
date: Thu, 30 Oct 2025 00:09:26 GMT
server: envoy
connection: close

Bad Request

root@open-webui-0:/app/backend# nc -v www.google.com 443
Connection to www.google.com (142.250.72.228) 443 port [tcp/https] succeeded!
asdf
HTTP/1.1 400 Bad Request
content-length: 11
content-type: text/plain
date: Thu, 30 Oct 2025 00:09:08 GMT
server: envoy
connection: close

Bad Request

This only happens from within the open-webui container, and if I sniff on the host where this pod is located, I never see outbound communication to the actual IPs behind those hostnames. It looks like there's a busted Envoy server within the open-webui process and some thing that's intercepting all HTTPS traffic, and that envoy server is not speaking HTTPS...hence the "wrong version number" errors. I do not have this problem from within the pipeline container in the same namespace (nor on any of the other 100+ containers running in this cluster):

}root@open-webui-pipelines-589c787dbb-nrtqf:/app# curl https://api.openai.com
{
    "message": "Welcome to the OpenAI API! Documentation is available at https://platform.openai.com/docs/api-reference"
}

I can't see what the container is running because some genius removed ps from the image (while leaving curl, openssl and a mess of other useful utilities), so I'm left with opening a ticket and asking if there's anything in OWUI that would be doing this.

Actual Behavior

X

Steps to Reproduce

X

Logs & Screenshots

X

Additional Information

X

Originally created by @oskapt on GitHub (Oct 30, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/18727 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.34 ### Ollama Version (if applicable) _No response_ ### Operating System Kubernetes ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior OWUI is failing all outbound SSL connections: ``` open-webui-0 open-webui aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host api.openai.com:443 ssl:default [[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1016)] ``` This is confirmed with both `openssl` and `curl` within the container: ``` root@open-webui-0:/app/backend# openssl s_client -connect api.openai.com:443 CONNECTED(00000003) 40B76CEB3A7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 320 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- root@open-webui-0:/app/backend# curl https://api.openai.com curl: (35) OpenSSL/3.0.17: error:0A00010B:SSL routines::wrong version number ``` The error is anomalous -- the actual problem is that there's an envoy server that's intercepting HTTPS requests to anywhere: ``` root@open-webui-0:/app/backend# nc -v api.openai.com 443 Connection to api.openai.com (162.159.140.245) 443 port [tcp/https] succeeded! asdf HTTP/1.1 400 Bad Request content-length: 11 content-type: text/plain date: Thu, 30 Oct 2025 00:09:26 GMT server: envoy connection: close Bad Request root@open-webui-0:/app/backend# nc -v www.google.com 443 Connection to www.google.com (142.250.72.228) 443 port [tcp/https] succeeded! asdf HTTP/1.1 400 Bad Request content-length: 11 content-type: text/plain date: Thu, 30 Oct 2025 00:09:08 GMT server: envoy connection: close Bad Request ``` This only happens from within the open-webui container, and if I sniff on the host where this pod is located, I never see outbound communication to the actual IPs behind those hostnames. It looks like there's a busted Envoy server within the open-webui process and some thing that's intercepting all HTTPS traffic, and that envoy server is not speaking HTTPS...hence the "wrong version number" errors. I do not have this problem from within the pipeline container in the same namespace (nor on any of the other 100+ containers running in this cluster): ``` }root@open-webui-pipelines-589c787dbb-nrtqf:/app# curl https://api.openai.com { "message": "Welcome to the OpenAI API! Documentation is available at https://platform.openai.com/docs/api-reference" } ``` I can't see what the container is running because some genius removed `ps` from the image (while leaving `curl`, `openssl` and a mess of other useful utilities), so I'm left with opening a ticket and asking if there's anything in OWUI that would be doing this. ### Actual Behavior X ### Steps to Reproduce X ### Logs & Screenshots X ### Additional Information X
GiteaMirror added the bug label 2026-04-25 08:07:26 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34216
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?