[GH-ISSUE #23755] issue: Openwebui ignores AIOHTTP_CLIENT_SESSION_SSL for image generation #74663

New Issue

GiteaMirror · 2026-05-13T07:28:50-05:00

GiteaMirror commented

2026-05-13 07:28:50 -05:00

Originally created by @orKL3mlz on GitHub (Apr 15, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23755

Check Existing Issues

I have searched for any existing and/or related issues.
I have searched for any existing and/or related discussions.
I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

open-webui/open-webui:git-1860874-slim

Ollama Version (if applicable)

0.20.3

Operating System

Debian 13

Browser (if applicable)

No response

Confirmation

I have read and followed all instructions in README.md.
I am using the latest version of both Open WebUI and Ollama.
I have included the browser console logs.
I have included the Docker container logs.
I have provided every relevant configuration, setting, and environment variable used in my setup.
I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
Start with the initial platform/version/OS and dependencies used,
Specify exact install/launch/configure commands,
List URLs visited, user input (incl. example values/emails/passwords if needed),
Describe all options and toggles enabled or changed,
Include any files or environmental changes,
Identify the expected and actual result at each stage,
Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Openwebui should ignore self signed certificate errors if AIOHTTP_CLIENT_SESSION_SSL = False when making calls to the image generation endpoint.

Actual Behavior

The request fails with an Self signed certificate error, in this case, when connecting to a comfyui instance

Steps to Reproduce

Configure Openwebui to use a Comfyui endpoint inside the image generation settings. If this endpoint uses a self-signed certificate, the request will fail with the error mentionned above.

Logs & Screenshots

ERROR    | open_webui.utils.images.comfyui:comfyui_create_image:180 - Failed to connect to WebSocket server: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1016)

Additional Information

I'm using the dev branch to check if the issue has been fixed, but it's not for this use case, or the issue #23672

Originally created by @orKL3mlz on GitHub (Apr 15, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23755 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version open-webui/open-webui:git-1860874-slim ### Ollama Version (if applicable) 0.20.3 ### Operating System Debian 13 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Openwebui should ignore self signed certificate errors if `AIOHTTP_CLIENT_SESSION_SSL = False` when making calls to the image generation endpoint. ### Actual Behavior The request fails with an `Self signed certificate` error, in this case, when connecting to a comfyui instance ### Steps to Reproduce Configure Openwebui to use a Comfyui endpoint inside the image generation settings. If this endpoint uses a self-signed certificate, the request will fail with the error mentionned above. ### Logs & Screenshots ``` ERROR | open_webui.utils.images.comfyui:comfyui_create_image:180 - Failed to connect to WebSocket server: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1016) ``` ### Additional Information I'm using the `dev` branch to check if the issue has been fixed, but it's not for this use case, or the issue #23672

GiteaMirror added the bug label 2026-05-13 07:28:50 -05:00

GiteaMirror closed this issue

2026-05-13 07:28:50 -05:00

GiteaMirror commented

2026-05-13 07:28:51 -05:00

@xyaz1313 commented on GitHub (Apr 15, 2026):

分析

问题根因：comfyui.py 使用了三种HTTP/WebSocket客户端，但都没有检查 AIOHTTP_CLIENT_SESSION_SSL 环境变量：

websocket-client (第177、256行) — ws.connect() 默认启用SSL验证，不支持自签名证书
urllib.request (第30、45、63行) — urlopen() 默认启用SSL验证
aiohttp (第108行 comfyui_upload_image) — 创建 ClientSession 时没有传 ssl 参数

项目其他模块（如 routers/openai.py）已经正确使用了 AIOHTTP_CLIENT_SESSION_SSL 变量，但 comfyui.py 遗漏了。

修复方案

修改 backend/open_webui/utils/images/comfyui.py：

# 1. 在文件顶部添加 import
import ssl as ssl_module
from open_webui.env import AIOHTTP_CLIENT_SESSION_SSL

# 2. 添加辅助函数，用于获取 SSL 上下文
def _get_ssl_context():
    """Return SSL context respecting AIOHTTP_CLIENT_SESSION_SSL env var."""
    if AIOHTTP_CLIENT_SESSION_SSL:
        return None  # Use default SSL verification
    ctx = ssl_module.create_default_context()
    ctx.check_hostname = False
    ctx.verify_mode = ssl_module.CERT_NONE
    return ctx

# 3. 修改 queue_prompt, get_image, get_history — 给 urlopen 传 context 参数
# 4. 修改 comfyui_create_image, comfyui_edit_image — 给 ws.connect 传 sslopt 参数
# 5. 修改 comfyui_upload_image — 给 session.post 传 ssl 参数

函数	原始方式	修复方式
`queue_prompt`	`urlopen(req)`	`urlopen(req, context=ssl_ctx)`
`get_image`	`urlopen(req)`	`urlopen(req, context=ssl_ctx)`
`get_history`	`urlopen(req)`	`urlopen(req, context=ssl_ctx)`
`comfyui_create_image`	`ws.connect(...)`	`ws.connect(..., sslopt=sslopt)`
`comfyui_edit_image`	`ws.connect(...)`	`ws.connect(..., sslopt=sslopt)`
`comfyui_upload_image`	`session.post(url, ...)`	`session.post(url, ..., ssl=AIOHTTP_CLIENT_SESSION_SSL)`

这样当用户设置 AIOHTTP_CLIENT_SESSION_SSL=False 时，所有ComfyUI相关的连接都会跳过SSL证书验证，兼容自签名证书环境。

@xyaz1313 commented on GitHub (Apr 15, 2026): ## 分析问题根因：`comfyui.py` 使用了三种HTTP/WebSocket客户端，但都没有检查 `AIOHTTP_CLIENT_SESSION_SSL` 环境变量： 1. **`websocket-client`** (第177、256行) — `ws.connect()` 默认启用SSL验证，不支持自签名证书 2. **`urllib.request`** (第30、45、63行) — `urlopen()` 默认启用SSL验证 3. **`aiohttp`** (第108行 `comfyui_upload_image`) — 创建 `ClientSession` 时没有传 `ssl` 参数项目其他模块（如 `routers/openai.py`）已经正确使用了 `AIOHTTP_CLIENT_SESSION_SSL` 变量，但 `comfyui.py` 遗漏了。 ## 修复方案修改 `backend/open_webui/utils/images/comfyui.py`： ```python # 1. 在文件顶部添加 import import ssl as ssl_module from open_webui.env import AIOHTTP_CLIENT_SESSION_SSL # 2. 添加辅助函数，用于获取 SSL 上下文 def _get_ssl_context(): """Return SSL context respecting AIOHTTP_CLIENT_SESSION_SSL env var.""" if AIOHTTP_CLIENT_SESSION_SSL: return None # Use default SSL verification ctx = ssl_module.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl_module.CERT_NONE return ctx # 3. 修改 queue_prompt, get_image, get_history — 给 urlopen 传 context 参数 # 4. 修改 comfyui_create_image, comfyui_edit_image — 给 ws.connect 传 sslopt 参数 # 5. 修改 comfyui_upload_image — 给 session.post 传 ssl 参数 ``` | 函数 | 原始方式 | 修复方式 | |------|---------|---------| | `queue_prompt` | `urlopen(req)` | `urlopen(req, context=ssl_ctx)` | | `get_image` | `urlopen(req)` | `urlopen(req, context=ssl_ctx)` | | `get_history` | `urlopen(req)` | `urlopen(req, context=ssl_ctx)` | | `comfyui_create_image` | `ws.connect(...)` | `ws.connect(..., sslopt=sslopt)` | | `comfyui_edit_image` | `ws.connect(...)` | `ws.connect(..., sslopt=sslopt)` | | `comfyui_upload_image` | `session.post(url, ...)` | `session.post(url, ..., ssl=AIOHTTP_CLIENT_SESSION_SSL)` | 这样当用户设置 `AIOHTTP_CLIENT_SESSION_SSL=False` 时，所有ComfyUI相关的连接都会跳过SSL证书验证，兼容自签名证书环境。

GiteaMirror commented

2026-05-13 07:28:51 -05:00

@tjbck commented on GitHub (Apr 15, 2026):

Should be addressed in dev.

@tjbck commented on GitHub (Apr 15, 2026): Should be addressed in dev.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#74663