[GH-ISSUE #21481] issue: MCP tool SSL is checked even with env vars saying it not to #35026

New Issue

Closed

opened 2026-04-25 09:14:12 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-04-25 09:14:12 -05:00

Owner

Copy Link

Originally created by @newtondotcom on GitHub (Feb 16, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21481

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
• I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.8.2

Ollama Version (if applicable)

No response

Operating System

Ubuntu 24.04

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

MCP tool requests should not be SSL checked when AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL is set in env.

I am pretty sure to have seen this issue somewhere but i can't find it anywhere... so maybe sorry in advance ...

Actual Behavior

The OPENAI_API_BASE_URL is clearly not SSL checked as exptected but when calling the MCP, the url is SSL checked and the requests fails even with the env var stating not to.

Steps to Reproduce

Using Docker version 29.2.0-rc.1 on Ubuntu
App Launched with Docker compose
Env var set :

      - AIOHTTP_CLIENT_SESSION_SSL=false
      - AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL=false
      - REQUESTS_VERIFY=false

Logs & Screenshots

open-webui-dev  | 2026-02-16 11:32:24.839 | DEBUG    | open_webui.utils.middleware:process_chat_payload:2175 - direct_tool_servers=[]
open-webui-dev  | 2026-02-16 11:32:24.962 | DEBUG    | mcp.client.streamable_http:streamable_http_client:649 - Connecting to StreamableHTTP endpoint: https://openmetadata.local/mcp
open-webui-dev  | 2026-02-16 11:32:24.965 | DEBUG    | mcp.client.streamable_http:post_writer:547 - Sending client message: root=JSONRPCRequest(method='initialize', params={'protocolVersion': '2025-11-25', 'capabilities': {}, 'clientInfo': {'name': 'mcp', 'version': '0.1.0'}}, jsonrpc='2.0', id=0)
open-webui-dev  | 2026-02-16 11:32:24.967 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.started host='openmetadata.local' port=443 local_address=None timeout=30 socket_options=None
open-webui-dev  | 2026-02-16 11:32:24.970 | INFO     | uvicorn.protocols.http.httptools_impl:send:483 - 192.168.1.1:33426 - "POST /api/chat/completions HTTP/1.1" 200
open-webui-dev  | 2026-02-16 11:32:24.990 | DEBUG    | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7c821da21dd0>
open-webui-dev  | 2026-02-16 11:32:24.990 | DEBUG    | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7c8211d1ae70> server_hostname='openmetadata.local' timeout=30
open-webui-dev  | 2026-02-16 11:32:24.995 | INFO     | uvicorn.protocols.http.httptools_impl:send:483 - 192.168.1.1:33426 - "GET /api/v1/chats/?page=1 HTTP/1.1" 200
open-webui-dev  | 2026-02-16 11:32:25.001 | DEBUG    | httpcore._trace:atrace:87 - start_tls.failed exception=ConnectError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1016)'))

Additional Information

No response

Originally created by @newtondotcom on GitHub (Feb 16, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21481 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.8.2 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 24.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior MCP tool requests should not be SSL checked when `AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL` is set in env. > I am pretty sure to have seen this issue somewhere but i can't find it anywhere... so maybe sorry in advance ... ### Actual Behavior The `OPENAI_API_BASE_URL` is clearly not SSL checked as exptected but when calling the MCP, the url is SSL checked and the requests fails even with the env var stating not to. ### Steps to Reproduce Using Docker version 29.2.0-rc.1 on Ubuntu App Launched with Docker compose Env var set : ```yaml - AIOHTTP_CLIENT_SESSION_SSL=false - AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL=false - REQUESTS_VERIFY=false ``` ### Logs & Screenshots ```bash open-webui-dev | 2026-02-16 11:32:24.839 | DEBUG | open_webui.utils.middleware:process_chat_payload:2175 - direct_tool_servers=[] open-webui-dev | 2026-02-16 11:32:24.962 | DEBUG | mcp.client.streamable_http:streamable_http_client:649 - Connecting to StreamableHTTP endpoint: https://openmetadata.local/mcp open-webui-dev | 2026-02-16 11:32:24.965 | DEBUG | mcp.client.streamable_http:post_writer:547 - Sending client message: root=JSONRPCRequest(method='initialize', params={'protocolVersion': '2025-11-25', 'capabilities': {}, 'clientInfo': {'name': 'mcp', 'version': '0.1.0'}}, jsonrpc='2.0', id=0) open-webui-dev | 2026-02-16 11:32:24.967 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.started host='openmetadata.local' port=443 local_address=None timeout=30 socket_options=None open-webui-dev | 2026-02-16 11:32:24.970 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 192.168.1.1:33426 - "POST /api/chat/completions HTTP/1.1" 200 open-webui-dev | 2026-02-16 11:32:24.990 | DEBUG | httpcore._trace:atrace:87 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7c821da21dd0> open-webui-dev | 2026-02-16 11:32:24.990 | DEBUG | httpcore._trace:atrace:87 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7c8211d1ae70> server_hostname='openmetadata.local' timeout=30 open-webui-dev | 2026-02-16 11:32:24.995 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 192.168.1.1:33426 - "GET /api/v1/chats/?page=1 HTTP/1.1" 200 open-webui-dev | 2026-02-16 11:32:25.001 | DEBUG | httpcore._trace:atrace:87 - start_tls.failed exception=ConnectError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1016)')) ``` ### Additional Information _No response_

GiteaMirror added the bug label 2026-04-25 09:14:12 -05:00

GiteaMirror closed this issue 2026-04-25 09:14:13 -05:00

GiteaMirror commented 2026-04-25 09:14:14 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Feb 16, 2026):

@newtondotcom pls test the pr

<!-- gh-comment-id:3910118333 --> @Classic298 commented on GitHub (Feb 16, 2026): @newtondotcom pls test the pr

GiteaMirror commented 2026-04-25 09:14:15 -05:00

Author

Owner

Copy Link

@newtondotcom commented on GitHub (Feb 17, 2026):

It works thks ! I look forward to see it merged !

<!-- gh-comment-id:3914094626 --> @newtondotcom commented on GitHub (Feb 17, 2026): It works thks ! I look forward to see it merged !

GiteaMirror commented 2026-04-25 09:14:15 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Feb 17, 2026):

@tjbck

<!-- gh-comment-id:3916184583 --> @Classic298 commented on GitHub (Feb 17, 2026): @tjbck

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#35026