[GH-ISSUE #21293] issue: OpenAI embeddings ignore AIOHTTP_CLIENT_SESSION_SSL=false (SSL verification always enforced) #34962

New Issue

Closed

opened 2026-04-25 09:08:20 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-25 09:08:20 -05:00

Owner

Copy Link

Originally created by @Odko on GitHub (Feb 10, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21293

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
• I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.7.2

Ollama Version (if applicable)

No response

Operating System

Linux

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When AIOHTTP_CLIENT_SESSION_SSL is set to false, all aiohttp-based connections from Open WebUI --- including OpenAI-compatible embedding requests --- should skip SSL certificate verification. This is the documented behavior and works correctly for model listing, chat completions (in routers/openai.py), and Ollama embeddings (in retrieval/utils.py).

Actual Behavior

OpenAI and Azure OpenAI embedding requests always enforce SSL certificate verification regardless of the AIOHTTP_CLIENT_SESSION_SSL setting. The ssl=AIOHTTP_CLIENT_SESSION_SSL parameter is missing from the session.post() calls in agenerate_openai_batch_embeddings and agenerate_azure_openai_batch_embeddings in backend/open_webui/retrieval/utils.py.

Model listing and chat completions to the same HTTPS endpoint work fine because routers/openai.py correctly passes ssl=AIOHTTP_CLIENT_SESSION_SSL. Only the embedding code path fails.

This was partially addressed in #12906, which added the ssl parameter to routers/openai.py, but the same fix was not applied to the embedding functions in retrieval/utils.py.

Steps to Reproduce

1. Set up an OpenAI-compatible API server with a self-signed HTTPS certificate (e.g., AWS Bedrock Access Gateway with uvicorn --ssl-keyfile / --ssl-certfile, or any OpenAI-compatible server behind self-signed TLS).

2. Configure Open WebUI with the following environment variables:

   AIOHTTP_CLIENT_SESSION_SSL=false
   RAG_EMBEDDING_ENGINE=openai
   RAG_EMBEDDING_MODEL=<your-model>
   RAG_OPENAI_API_BASE_URL=https://<your-server>:<port>/api/v1
   RAG_OPENAI_API_KEY=<your-key>
   OPENAI_API_BASE_URLS=https://<your-server>:<port>/api/v1
   OPENAI_API_KEYS=<your-key>
   

3. Start Open WebUI (v0.7.2). Verify that:

   • The model list loads successfully in the UI (this confirms routers/openai.py respects AIOHTTP_CLIENT_SESSION_SSL=false).
   • Chat completions work normally against the same HTTPS endpoint.

4. Upload a document to trigger RAG embedding generation.

5. Observe the SSL error in the logs --- the embedding request fails even though model listing and chat use the same endpoint successfully.

Logs & Screenshots

ERROR | open_webui.retrieval.utils:agenerate_openai_batch_embeddings:613 -
Error generating openai batch embeddings: Cannot connect to host
<OpenAI-compatible API server>:8080 ssl:True
[SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed: self-signed certificate (_ssl.c:1016)')]

Note ssl:True in the error --- this confirms the AIOHTTP_CLIENT_SESSION_SSL=false setting is not being applied to this code path.

Additional Information

No response

Originally created by @Odko on GitHub (Feb 10, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21293 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Linux ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When `AIOHTTP_CLIENT_SESSION_SSL` is set to `false`, all aiohttp-based connections from Open WebUI --- including OpenAI-compatible embedding requests --- should skip SSL certificate verification. This is the documented behavior and works correctly for model listing, chat completions (in [`routers/openai.py`](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/openai.py)), and Ollama embeddings (in [`retrieval/utils.py`](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/utils.py)). ### Actual Behavior OpenAI and Azure OpenAI embedding requests always enforce SSL certificate verification regardless of the `AIOHTTP_CLIENT_SESSION_SSL` setting. The `ssl=AIOHTTP_CLIENT_SESSION_SSL` parameter is missing from the `session.post()` calls in `agenerate_openai_batch_embeddings` and `agenerate_azure_openai_batch_embeddings` in `backend/open_webui/retrieval/utils.py`. Model listing and chat completions to the same HTTPS endpoint work fine because `routers/openai.py` correctly passes `ssl=AIOHTTP_CLIENT_SESSION_SSL`. Only the embedding code path fails. This was partially addressed in #12906, which added the `ssl` parameter to `routers/openai.py`, but the same fix was not applied to the embedding functions in `retrieval/utils.py`. ### Steps to Reproduce 1. Set up an OpenAI-compatible API server with a self-signed HTTPS certificate (e.g., AWS Bedrock Access Gateway with uvicorn `--ssl-keyfile` / `--ssl-certfile`, or any OpenAI-compatible server behind self-signed TLS). 2. Configure Open WebUI with the following environment variables: ``` AIOHTTP_CLIENT_SESSION_SSL=false RAG_EMBEDDING_ENGINE=openai RAG_EMBEDDING_MODEL=<your-model> RAG_OPENAI_API_BASE_URL=https://<your-server>:<port>/api/v1 RAG_OPENAI_API_KEY=<your-key> OPENAI_API_BASE_URLS=https://<your-server>:<port>/api/v1 OPENAI_API_KEYS=<your-key> ``` 3. Start Open WebUI (v0.7.2). Verify that: - The model list loads successfully in the UI (this confirms `routers/openai.py` respects `AIOHTTP_CLIENT_SESSION_SSL=false`). - Chat completions work normally against the same HTTPS endpoint. 4. Upload a document to trigger RAG embedding generation. 5. Observe the SSL error in the logs --- the embedding request fails even though model listing and chat use the same endpoint successfully. ### Logs & Screenshots ``` ERROR | open_webui.retrieval.utils:agenerate_openai_batch_embeddings:613 - Error generating openai batch embeddings: Cannot connect to host <OpenAI-compatible API server>:8080 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1016)')] ``` Note `ssl:True` in the error --- this confirms the `AIOHTTP_CLIENT_SESSION_SSL=false` setting is not being applied to this code path. ### Additional Information _No response_

GiteaMirror added the bug label 2026-04-25 09:08:20 -05:00

GiteaMirror closed this issue 2026-04-25 09:08:21 -05:00

GiteaMirror commented 2026-04-25 09:08:22 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Feb 10, 2026):

Should be addressed in dev.

<!-- gh-comment-id:3880039325 --> @tjbck commented on GitHub (Feb 10, 2026): Should be addressed in dev.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#34962