How to skip or fix SSL cert verification error

[qianfeiqianlan]

when i save openai provider with API Base(openai_api_base,base_url), got connection error, message is following

httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

i try to use openai SDK test my setting, got correct result

from openai import OpenAI

client = OpenAI(
    api_key="sk-xxxxxxxxxxx",
    base_url="https://open-api.xxx.xx/v1")

stream = client.chat.completions.create(
    model="gpt-3.5-turbo",
    messages=[{"role": "user", "content": "Say this is a test"}],
    stream=True,
)
for chunk in stream:
    if chunk.choices[0].delta.content is not None:
        print(chunk.choices[0].delta.content, end="")

at logs found some init logic, but dont know how to update this logic

1. version 0.6.8
2. deploy on k8s with helm
3. cert was request by certbot
4. https://open-api.xxx.xx was proxy by nginx

related issue

1. certificate verify failed: unable to get local issuer certificate (_ssl.c:1007) #2637
2. Credentials validation failed with status code 500 #4114

[qianfeiqianlan]

add some custom openai http client config was correct?

i use some magic logic to resolve this issue

1. docker exec pod
2. vim core/model_runtime/model_providers/openai/_common.py file
3. use a custom http client httpx.Client(verify=False)
4. commit image and replace old dify api image

[LeoQuote]

install the root certificate inside container, after that everything should be fine.

your changes doesn’t follow the security best practices, you could be attacked by DNS spoofing.

[raccoonex]

Hi guys and all future readers,

Before providing my solutions I woud like to emphasise, that using certificates issued by verified CA authorities should be always your solution (Let's Encrypt certs are free). However if you find yourself in a situation when you have no other option than using a self-signed CA, here is my story:

I got the same error when my custom tool used self-signed certificate. The problem here is that Dify uses httpx for making requests. The httpx uses certifi to verify certificates. And here the fun begins.

The certifi maintains its own registry of verified certification authorities, therefore installing your CA certificate in your Dify environement/container, e.g. with copying your CA to the host machine and runnign the update-ca-certificatescommand, will not help.

The only workaround that made Dify trust my CA was to build my own image with copy of my CA certificate appended to the end of the CA bundle used by certifi.

This is how I did it:

FROM langgenius/dify-api:0.6.8

COPY ./certs/my_awesome_CA.crt /usr/local/share/ca-certificates/

RUN update-ca-certificates  # add to system CAs, probably not needed but can be useful
RUN cat /usr/local/share/ca-certificates/my_awesome_CA.crt >> /usr/local/lib/python3.10/site-packages/certifi/cacert.pem

WORKDIR /app/api

ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]

Check what CA bundle certifi on your machine uses:

import certifi

certifi.where()

Do not use this in a production environment. I repeat, use a certificate issued by verified certification authority whenever possible!

[mbbyn]

Tried this and works perfectly, thank you very much.

[javiergonzales06]

Hi. I tried this methodology. But It still thrown same error which is [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate. Could you help me?

[K1K1K1Zhang]

Hi,

Is there anyone still dealing with this error?

I came up with it a few days ago, and my dify version is 0.6.11.

The error is on the http request node instead of the LLM node.

I tried to fix the problem by adding the line in dify/api/workflow/nodes/http_request/http_executor.py by adding the argument 'verify', to ignore the SSL verification for httpx:

    def _do_http_request(self, headers: dict[str, Any]) -> httpx.Response:
        """
            do http request depending on api bundle
        """
        kwargs = {
            'url': self.server_url,
            'headers': headers,
            'params': self.params,
            'timeout': (self.timeout.connect, self.timeout.read, self.timeout.write),
            'follow_redirects': True,
            'verify': False  # Disable SSL verification for httpx
        }

        if self.method in ('get', 'head', 'options'):
            response = getattr(ssrf_proxy, self.method)(**kwargs)
        elif self.method in ('post', 'put', 'delete', 'patch'):
            response = getattr(ssrf_proxy, self.method)(data=self.body, files=self.files, **kwargs)
        else:
            raise ValueError(f'Invalid http method {self.method}')
        return response

But that didn't work.

[HappyClint]

I did this too， and it‘s did’t work.

[resline]

Resolution that worked for me.

Steps to Resolve:

1. Copy your SSL certificate:

   • Copy my_cert.crt to the ./docker/volumes/app/ssl_certs directory.

2. Modify the docker-compose.yaml file:

   services:
     # API service
     api:
       image: langgenius/dify-api:0.6.12-fix1
       restart: always
       environment:
         # Use the shared environment variables.
         <<: *shared-api-worker-env
         # Startup mode, 'api' starts the API server.
         MODE: api
       depends_on:
         - db
         - redis
       volumes:
         # Mount the storage directory to the container, for storing user files.
         - ./volumes/app/storage:/app/api/storage
         
         # Added line to mount the SSL certificate
         - ./volumes/app/ssl_certs/my_cert.crt:/usr/local/share/ca-certificates/my_cert.crt
         
       entrypoint: 
         # Append certificates to certifi's CA bundle
         - /bin/bash
         - -c 
         - |
           cat /usr/local/share/ca-certificates/my_cert.crt >> /app/api/.venv/lib/python3.10/site-packages/certifi/cacert.pem
           /entrypoint.sh
         
       networks:
         - ssrf_proxy_network
         - default    

Key Additions:

• Mount the SSL Certificate:

  volumes:
    # Added line to mount the SSL certificate
    - ./volumes/app/ssl_certs/my_cert.crt:/usr/local/share/ca-certificates/my_cert.crt

• Update the entrypoint to append the SSL certificate to the Certifi's CA bundle:

  entrypoint: 
    # Added lines to append certificate
    - /bin/bash
    - -c 
    - |
      cat /usr/local/share/ca-certificates/my_cert.crt >> /app/api/.venv/lib/python3.10/site-packages/certifi/cacert.pem
      /entrypoint.sh

Additional Information:

Dify has switched from pip to poetry for dependency management. This change has affected the path where Certifi's CA bundle is stored compared to previous versions. Ensure you use the correct path (/app/api/.venv/lib/python3.10/site-packages/certifi/cacert.pem) as shown above.

By following these steps, you should be able to resolve the SSL certificate issue effectively. Feel free to reach out if you have any further questions or need additional assistance.

---