diff --git a/docs/troubleshooting/index.mdx b/docs/troubleshooting/index.mdx index ec6f9fa..99fdac4 100644 --- a/docs/troubleshooting/index.mdx +++ b/docs/troubleshooting/index.mdx @@ -60,57 +60,6 @@ For detailed instructions on setting environment variables for Ollama, refer to By following these enhanced troubleshooting steps, connection issues should be effectively resolved. For further assistance or queries, feel free to reach out to us on our community Discord. -## [SSL: CERTIFICATE_VERIFY_FAILED] - -If you get this error while trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network), -you will need to add the new cert into OI's truststore. - -**For pre-built Docker image**: - -1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run` -2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env) - -Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210): - -```yaml -services: - openwebui: - image: ghcr.io/open-webui/open-webui:main - volumes: - - /var/containers/openwebui:/app/backend/data:rw - - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - environment: - - WEBUI_NAME=compusrv - - ENABLE_SIGNUP=False - - ENABLE_COMMUNITY_SHARING=False - - WEBUI_SESSION_COOKIE_SAME_SITE=strict - - WEBUI_SESSION_COOKIE_SECURE=True - - ENABLE_OLLAMA_API=False - - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt -``` - -The `ro` flag mounts the CA store as read-only - -**For local development**: - -You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance. -Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both -1. Frontend (`build` stage): -```dockerfile -COPY package.json package-lock.json .crt ./ -ENV NODE_EXTRA_CA_CERTS=/app/.crt -RUN npm ci -``` -2. Backend (`base` stage): -```dockerfile -COPY /usr/local/share/ca-certificates/ -RUN update-ca-certificates -ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \ - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt -``` - ## Network Diagrams of different deployments #### Mac OS/Windows - Ollama on Host, Open WebUI in container diff --git a/docs/tutorial/custom-ca.md b/docs/tutorial/custom-ca.md new file mode 100644 index 0000000..2b5bf79 --- /dev/null +++ b/docs/tutorial/custom-ca.md @@ -0,0 +1,53 @@ +--- +sidebar_position: 14 +title: Setting up with custom CA store +--- + +If you get an `[SSL: CERTIFICATE_VERIFY_FAILED]` error when trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network). + +To fix this, you will need to add the new cert into OI's truststore. + +**For pre-built Docker image**: + +1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run` +2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env) + +Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210): + +```yaml +services: + openwebui: + image: ghcr.io/open-webui/open-webui:main + volumes: + - /var/containers/openwebui:/app/backend/data:rw + - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + environment: + - WEBUI_NAME=compusrv + - ENABLE_SIGNUP=False + - ENABLE_COMMUNITY_SHARING=False + - WEBUI_SESSION_COOKIE_SAME_SITE=strict + - WEBUI_SESSION_COOKIE_SECURE=True + - ENABLE_OLLAMA_API=False + - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +``` + +The `ro` flag mounts the CA store as read-only and prevents accidental changes to your host CA store +**For local development**: + +You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance. +Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both +1. Frontend (`build` stage): +```dockerfile +COPY package.json package-lock.json .crt ./ +ENV NODE_EXTRA_CA_CERTS=/app/.crt +RUN npm ci +``` +2. Backend (`base` stage): +```dockerfile +COPY /usr/local/share/ca-certificates/ +RUN update-ca-certificates +ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \ + REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +```