Setting up with custom CA store
If you get an [SSL: CERTIFICATE_VERIFY_FAILED] error when trying to run OI, most likely the issue is that you are on a network which intercepts HTTPS traffic (e.g. a corporate network).
To fix this, you will need to add the new cert into OI's truststore.
For pre-built Docker image:
- Mount the certificiate store from your host machine into the container by passing
--volume=/etc/ssl/certs/ca-certificiate.crt:/etc/ssl/certs/ca-certificiates.crt:roas a command-line option todocker run - Force python to use the system truststore by setting
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt(see https://docs.docker.com/reference/cli/docker/container/run/#env)
Example compose.yaml from @KizzyCode:
services:
openwebui:
image: ghcr.io/open-webui/open-webui:main
volumes:
- /var/containers/openwebui:/app/backend/data:rw
- /etc/containers/openwebui/compusrv.crt:/etc/ssl/certs/ca-certificates.crt:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- WEBUI_NAME=compusrv
- ENABLE_SIGNUP=False
- ENABLE_COMMUNITY_SHARING=False
- WEBUI_SESSION_COOKIE_SAME_SITE=strict
- WEBUI_SESSION_COOKIE_SECURE=True
- ENABLE_OLLAMA_API=False
- REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
The ro flag mounts the CA store as read-only and prevents accidental changes to your host CA store
For local development:
You can also add the certificates in the build process by modifying the Dockerfile. This is useful if you want to make changes to the UI, for instance.
Since the build happens in multiple stages, you have to add the cert into both
- Frontend (
buildstage):
COPY package.json package-lock.json <YourRootCert>.crt ./
ENV NODE_EXTRA_CA_CERTS=/app/<YourRootCert>.crt
RUN npm ci
- Backend (
basestage):
COPY <CorporateSSL.crt> /usr/local/share/ca-certificates/
RUN update-ca-certificates
ENV PIP_CERT=/etc/ssl/certs/ca-certificates.crt \
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt