From c028d486cc1d9f75d44622bfaff23d57255d3056 Mon Sep 17 00:00:00 2001
From: kenneth <kennett.sun@gmail.com>
Date: Tue, 30 Jul 2024 12:36:27 -0400
Subject: [PATCH 1/3] Troubleshoot steps for [SSL: CERTIFICATE_VERIFY_FAILED]

---
 docs/troubleshooting/index.mdx | 49 ++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/docs/troubleshooting/index.mdx b/docs/troubleshooting/index.mdx
index 99fdac4..ede0c25 100644
--- a/docs/troubleshooting/index.mdx
+++ b/docs/troubleshooting/index.mdx
@@ -60,6 +60,55 @@ For detailed instructions on setting environment variables for Ollama, refer to
 
 By following these enhanced troubleshooting steps, connection issues should be effectively resolved. For further assistance or queries, feel free to reach out to us on our community Discord.
 
+## [SSL: CERTIFICATE_VERIFY_FAILED]
+
+If you get this error while trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network), 
+you will need to add the new cert into OI's truststore. 
+
+**For pre-built Docker image**:
+
+1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run`
+2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env)
+
+Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210):
+
+```yaml
+services:
+  openwebui:
+    image: ghcr.io/open-webui/open-webui:main
+    volumes:
+      - /var/containers/openwebui:/app/backend/data:rw
+      - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - WEBUI_NAME=compusrv
+      - ENABLE_SIGNUP=False
+      - ENABLE_COMMUNITY_SHARING=False
+      - WEBUI_SESSION_COOKIE_SAME_SITE=strict
+      - WEBUI_SESSION_COOKIE_SECURE=True
+      - ENABLE_OLLAMA_API=False
+      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+```
+
+**For local development**:
+
+You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance.
+Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both
+1. Frontend (`build` stage): 
+```dockerfile
+COPY package.json package-lock.json <YourRootCert>.crt ./
+ENV NODE_EXTRA_CA_CERTS=/app/<YourRootCert>.crt
+RUN npm ci
+```
+2. Backend (`base` stage):
+```dockerfile
+COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \
+    REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+```
+
 ## Network Diagrams of different deployments
 
 #### Mac OS/Windows - Ollama on Host, Open WebUI in container

From 6f64e17f56e5f7a3ecb6c984333f878b2470b636 Mon Sep 17 00:00:00 2001
From: kenneth <kennett.sun@gmail.com>
Date: Tue, 30 Jul 2024 12:49:10 -0400
Subject: [PATCH 2/3] note for `ro` flag

---
 docs/troubleshooting/index.mdx | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/troubleshooting/index.mdx b/docs/troubleshooting/index.mdx
index ede0c25..ec6f9fa 100644
--- a/docs/troubleshooting/index.mdx
+++ b/docs/troubleshooting/index.mdx
@@ -91,6 +91,8 @@ services:
       - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 ```
 
+The `ro` flag mounts the CA store as read-only
+
 **For local development**:
 
 You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance.

From 41b8c5284fd01b2ae3e1ca80df8b1b8e82820cc2 Mon Sep 17 00:00:00 2001
From: Kenneth Sun <kennett.sun@gmail.com>
Date: Tue, 30 Jul 2024 19:11:40 -0400
Subject: [PATCH 3/3] move custom ca docs under tutorials

---
 docs/troubleshooting/index.mdx | 51 --------------------------------
 docs/tutorial/custom-ca.md     | 53 ++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 51 deletions(-)
 create mode 100644 docs/tutorial/custom-ca.md

diff --git a/docs/troubleshooting/index.mdx b/docs/troubleshooting/index.mdx
index ec6f9fa..99fdac4 100644
--- a/docs/troubleshooting/index.mdx
+++ b/docs/troubleshooting/index.mdx
@@ -60,57 +60,6 @@ For detailed instructions on setting environment variables for Ollama, refer to
 
 By following these enhanced troubleshooting steps, connection issues should be effectively resolved. For further assistance or queries, feel free to reach out to us on our community Discord.
 
-## [SSL: CERTIFICATE_VERIFY_FAILED]
-
-If you get this error while trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network), 
-you will need to add the new cert into OI's truststore. 
-
-**For pre-built Docker image**:
-
-1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run`
-2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env)
-
-Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210):
-
-```yaml
-services:
-  openwebui:
-    image: ghcr.io/open-webui/open-webui:main
-    volumes:
-      - /var/containers/openwebui:/app/backend/data:rw
-      - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    environment:
-      - WEBUI_NAME=compusrv
-      - ENABLE_SIGNUP=False
-      - ENABLE_COMMUNITY_SHARING=False
-      - WEBUI_SESSION_COOKIE_SAME_SITE=strict
-      - WEBUI_SESSION_COOKIE_SECURE=True
-      - ENABLE_OLLAMA_API=False
-      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
-```
-
-The `ro` flag mounts the CA store as read-only
-
-**For local development**:
-
-You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance.
-Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both
-1. Frontend (`build` stage): 
-```dockerfile
-COPY package.json package-lock.json <YourRootCert>.crt ./
-ENV NODE_EXTRA_CA_CERTS=/app/<YourRootCert>.crt
-RUN npm ci
-```
-2. Backend (`base` stage):
-```dockerfile
-COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/
-RUN update-ca-certificates
-ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \
-    REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
-```
-
 ## Network Diagrams of different deployments
 
 #### Mac OS/Windows - Ollama on Host, Open WebUI in container
diff --git a/docs/tutorial/custom-ca.md b/docs/tutorial/custom-ca.md
new file mode 100644
index 0000000..2b5bf79
--- /dev/null
+++ b/docs/tutorial/custom-ca.md
@@ -0,0 +1,53 @@
+---
+sidebar_position: 14
+title: Setting up with custom CA store
+---
+
+If you get an `[SSL: CERTIFICATE_VERIFY_FAILED]` error when trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network).
+
+To fix this, you will need to add the new cert into OI's truststore.
+
+**For pre-built Docker image**:
+
+1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run`
+2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env)
+
+Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210):
+
+```yaml
+services:
+  openwebui:
+    image: ghcr.io/open-webui/open-webui:main
+    volumes:
+      - /var/containers/openwebui:/app/backend/data:rw
+      - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - WEBUI_NAME=compusrv
+      - ENABLE_SIGNUP=False
+      - ENABLE_COMMUNITY_SHARING=False
+      - WEBUI_SESSION_COOKIE_SAME_SITE=strict
+      - WEBUI_SESSION_COOKIE_SECURE=True
+      - ENABLE_OLLAMA_API=False
+      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+```
+
+The `ro` flag mounts the CA store as read-only and prevents accidental changes to your host CA store
+**For local development**:
+
+You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance.
+Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both
+1. Frontend (`build` stage): 
+```dockerfile
+COPY package.json package-lock.json <YourRootCert>.crt ./
+ENV NODE_EXTRA_CA_CERTS=/app/<YourRootCert>.crt
+RUN npm ci
+```
+2. Backend (`base` stage):
+```dockerfile
+COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \
+    REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+```