From c028d486cc1d9f75d44622bfaff23d57255d3056 Mon Sep 17 00:00:00 2001 From: kenneth Date: Tue, 30 Jul 2024 12:36:27 -0400 Subject: [PATCH] Troubleshoot steps for [SSL: CERTIFICATE_VERIFY_FAILED] --- docs/troubleshooting/index.mdx | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/troubleshooting/index.mdx b/docs/troubleshooting/index.mdx index 99fdac4..ede0c25 100644 --- a/docs/troubleshooting/index.mdx +++ b/docs/troubleshooting/index.mdx @@ -60,6 +60,55 @@ For detailed instructions on setting environment variables for Ollama, refer to By following these enhanced troubleshooting steps, connection issues should be effectively resolved. For further assistance or queries, feel free to reach out to us on our community Discord. +## [SSL: CERTIFICATE_VERIFY_FAILED] + +If you get this error while trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network), +you will need to add the new cert into OI's truststore. + +**For pre-built Docker image**: + +1. Mount the certificiate store from your host machine into the container by passing `--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:ro` as a command-line option to `docker run` +2. Force python to use the system truststore by setting `REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` (see https://docs.docker.com/reference/cli/docker/container/run/#env) + +Example `compose.yaml` from [@KizzyCode](https://github.com/open-webui/open-webui/issues/1398#issuecomment-2258463210): + +```yaml +services: + openwebui: + image: ghcr.io/open-webui/open-webui:main + volumes: + - /var/containers/openwebui:/app/backend/data:rw + - /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + environment: + - WEBUI_NAME=compusrv + - ENABLE_SIGNUP=False + - ENABLE_COMMUNITY_SHARING=False + - WEBUI_SESSION_COOKIE_SAME_SITE=strict + - WEBUI_SESSION_COOKIE_SECURE=True + - ENABLE_OLLAMA_API=False + - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +``` + +**For local development**: + +You can also add the certificates in the build process by modifying the `Dockerfile`. This is useful if you want to make changes to the UI, for instance. +Since the build happens in [multiple stages](https://docs.docker.com/build/building/multi-stage/), you have to add the cert into both +1. Frontend (`build` stage): +```dockerfile +COPY package.json package-lock.json .crt ./ +ENV NODE_EXTRA_CA_CERTS=/app/.crt +RUN npm ci +``` +2. Backend (`base` stage): +```dockerfile +COPY /usr/local/share/ca-certificates/ +RUN update-ca-certificates +ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \ + REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt +``` + ## Network Diagrams of different deployments #### Mac OS/Windows - Ollama on Host, Open WebUI in container