OpenWebUI/docs
1
0
Fork 0
mirror of https://github.com/open-webui/docs synced 2025-05-20 19:26:22 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #161 from nomppy/main

Browse Source 
Troubleshoot steps for [SSL: CERTIFICATE_VERIFY_FAILED]
This commit is contained in:
Justin Hayes 2024-07-31 10:01:24 -04:00 committed by GitHub
commit 090f50c685
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
docs/tutorial/custom-ca.md Normal file
View File

@ -0,0 +1,53 @@
---
sidebar_position: 14
title: Setting up with custom CA store
---
If you get an `[SSL: CERTIFICATE_VERIFY_FAILED]` error when trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network).
To fix this, you will need to add the new cert into OI's truststore.
**For pre-built Docker image**:
1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run`
2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env)
Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210):
```yaml
services:
openwebui:
image: ghcr.io/open-webui/open-webui:main
volumes:
- /var/containers/openwebui:/app/backend/data:rw
- /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- WEBUI_NAME=compusrv
- ENABLE_SIGNUP=False
- ENABLE_COMMUNITY_SHARING=False
- WEBUI_SESSION_COOKIE_SAME_SITE=strict
- WEBUI_SESSION_COOKIE_SECURE=True
- ENABLE_OLLAMA_API=False
- REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
```
The `ro` flag mounts the CA store as read-only and prevents accidental changes to your host CA store
**For local development**:
You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance.
Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both
1. Frontend (`build` stage):
```dockerfile
COPY package.json package-lock.json <YourRootCert>.crt ./
ENV NODE_EXTRA_CA_CERTS=/app/<YourRootCert>.crt
RUN npm ci
```
2. Backend (`base` stage):
```dockerfile
COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/
RUN update-ca-certificates
ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
```