Help - certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))

[chendave]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

I setup the dify in our lab, and want to configure the model provider (deepseek) which is setup by the vllm, but I got the error like this from the portal:

An error occurred during credentials validation: HTTPSConnectionPool(host='api-ingress-internal-staging-hrz.g.cneast.test.com.cn', port=443): Max retries exceeded with url: /llm-service-backend-serv/chat/completions (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))

logs from the container,

docker logs docker-api-1
2025-09-29 06:50:33.614 WARNING [Dummy-26] [version.py:66] - Check update version error: httpx.Timeout must either include a default, or set all four parameters explicitly..
2025-09-29 06:50:54.229 ERROR [Dummy-27] [base.py:211] - Error in stream reponse for plugin {'code': -500, 'message': '{"message":"{\"args\":{},\"error_type\":\"CredentialsValidateFailedError\",\"message\":\"An error occurred during credentials validation: HTTPSConnectionPool(host='api-ingress-internal-staging-hrz.g.cneast.test.com.cn', port=443): Max retries exceeded with url: /llm-service-backend-serv/chat/completions (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))\"}","error_type":"PluginInvokeError","args":null}', 'data': None}

It's indeed using the self-signed certs, but I have import certs into the container of docker-api-1 and most of other containers, the issues still cannot be solved.

Does anyone know how to fix it? or bypass the cert validation?

2. Additional context or comments

No response

[dosubot[bot]]

Hi @chendave! I'm Dosu and I’m helping the dify team.

The SSL verification error happens because Dify's HTTP client doesn't trust your self-signed certificate by default, and just importing the cert into the container isn't enough. You need to update the Dify code to respect the SSL verification setting and restart the container.

Here's how to bypass SSL verification (only do this in a trusted environment):

1. Edit api/core/helper/ssrf_proxy.py and make sure the proxy_mounts config sets the verify parameter to the value of HTTP_REQUEST_NODE_SSL_VERIFY:

   proxy_mounts = {
       "http://": httpx.HTTPTransport(proxy=dify_config.SSRF_PROXY_HTTP_URL, verify=HTTP_REQUEST_NODE_SSL_VERIFY),
       "https://": httpx.HTTPTransport(proxy=dify_config.SSRF_PROXY_HTTPS_URL, verify=HTTP_REQUEST_NODE_SSL_VERIFY)
   }

2. In your .env file, set:

   HTTP_REQUEST_NODE_SSL_VERIFY=False
   

3. Rebuild and restart your API container:

   docker restart docker-api-1
   

Disabling SSL verification is risky—only do this if you trust your network environment. If you want to trust your self-signed cert instead, you'll need to add your CA to the trusted store and set HTTP_REQUEST_NODE_SSL_VERIFY to the path of your CA bundle instead of False details & code example.

Let me know if you need help with the trusted CA approach or if you run into issues after making these changes.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[chendave]

I have added this environment in the ".env" file,

HTTP_REQUEST_NODE_SSL_VERIFY=False

I am on the commit id of "244c132656c50bd7e8f88ac049ee8b6499477188", the code of "api/core/helper/ssrf_proxy.py",

def make_request(method, url, max_retries=SSRF_DEFAULT_MAX_RETRIES, **kwargs):
    if "allow_redirects" in kwargs:
        allow_redirects = kwargs.pop("allow_redirects")
        if "follow_redirects" not in kwargs:
            kwargs["follow_redirects"] = allow_redirects

    if "timeout" not in kwargs:
        kwargs["timeout"] = httpx.Timeout(
            timeout=dify_config.SSRF_DEFAULT_TIME_OUT,
            connect=dify_config.SSRF_DEFAULT_CONNECT_TIME_OUT,
            read=dify_config.SSRF_DEFAULT_READ_TIME_OUT,
            write=dify_config.SSRF_DEFAULT_WRITE_TIME_OUT,
        )

    # prioritize per-call option, which can be switched on and off inside the HTTP node on the web UI
    verify_option = kwargs.pop("ssl_verify", dify_config.HTTP_REQUEST_NODE_SSL_VERIFY)
    client = _get_ssrf_client(verify_option)

    retries = 0
    while retries <= max_retries:
    ...

and then run "docker compose down" and "docker compose up -d", the issue is still there.

my question is how I can check the setting in the "HTTP_REQUEST_NODE_SSL_VERIFY" is effective? I suppose the change of code there won't has any different since I am setup the dify via the docker container instead of the source, right?

[chendave]

@dosu

[chendave]

In the file of docker-compose.yaml, I can see the the x-shared-env of "HTTP_REQUEST_NODE_SSL_VERIFY", but I cannot see it is referenced in any of the service. @dosu

[chendave]

I updated the code in the api/core/helper/ssrf_proxy.py as this,

diff --git a/api/core/helper/ssrf_proxy.py b/api/core/helper/ssrf_proxy.py
index 0de026f3c..6f8a8de36 100644
--- a/api/core/helper/ssrf_proxy.py
+++ b/api/core/helper/ssrf_proxy.py
@@ -36,9 +36,11 @@ def _create_proxy_mounts() -> dict[str, httpx.HTTPTransport]:
     return {
         "http://": httpx.HTTPTransport(
             proxy=dify_config.SSRF_PROXY_HTTP_URL,
+            verify=HTTP_REQUEST_NODE_SSL_VERIFY,
         ),
         "https://": httpx.HTTPTransport(
             proxy=dify_config.SSRF_PROXY_HTTPS_URL,
+            verify=HTTP_REQUEST_NODE_SSL_VERIFY,
         ),
     }
 
@@ -86,7 +88,7 @@ def make_request(method, url, max_retries=SSRF_DEFAULT_MAX_RETRIES, **kwargs):
         )
 
     # prioritize per-call option, which can be switched on and off inside the HTTP node on the web UI
-    verify_option = kwargs.pop("ssl_verify", dify_config.HTTP_REQUEST_NODE_SSL_VERIFY)
+    verify_option = kwargs.pop("ssl_verify", "False")
     client = _get_ssrf_client(verify_option)
 
     retries = 0

set HTTP_REQUEST_NODE_SSL_VERIFY to False in the .env file, and rebuild the docker image,

this command show the env is effective,

docker exec docker-api-1 env | grep HTTP_REQUEST_NODE_SSL_VERIFY
HTTP_REQUEST_NODE_SSL_VERIFY=False

docker logs docker-api-1 -f shows the issue still there,

2025-09-29 09:08:23.190 WARNING [Dummy-2] [version.py:66] - Check update version error: httpx.Timeout must either include a default, or set all four parameters explicitly..
2025-09-29 09:08:45.481 ERROR [Dummy-3] [base.py:211] - Error in stream reponse for plugin {'code': -500, 'message': '{"message":"{\"args\":{},\"error_type\":\"CredentialsValidateFailedError\",\"message\":\"An error occurred during credentials validation: HTTPSConnectionPool(host='api-ingress-internal-staging-hrz.g.cneast.test.com.cn', port=443): Max retries exceeded with url: /llm-service-backend-serv/chat/completions (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))\"}","error_type":"PluginInvokeError","args":null}', 'data': None}

so, why? where is the issue thrown? @dosu

[dosubot[bot]]

Your changes to ssrf_proxy.py and the HTTP_REQUEST_NODE_SSL_VERIFY variable only affect httpx-based requests in the API backend. The SSL verification error you’re seeing is actually thrown by the plugin-daemon, which uses the Python requests library and does not respect this variable. By default, plugin-daemon enforces SSL verification using the system CA certificates inside its own container.

To fix this, you need to make plugin-daemon trust your self-signed certificate. The recommended way is to mount your CA bundle into the plugin-daemon container and set the REQUESTS_CA_BUNDLE environment variable to point to it. For example, in your docker-compose.yaml:

  plugin_daemon:
    ...
    environment:
      REQUESTS_CA_BUNDLE: /usr/local/share/ca-certificates/root_cert.crt
    volumes:
      - /path/to/your/root_cert.crt:/usr/local/share/ca-certificates/root_cert.crt

Then, exec into the running plugin-daemon container and run:

update-ca-certificates

Restart the plugin-daemon container after this. If you still see SSL errors, double-check that the CA file is readable inside the container and that the path matches exactly. You can also test with a simple Python requests script inside the container to verify SSL connections reference.

Disabling SSL verification globally (e.g., by patching the plugin-daemon code to set verify=False) is possible but not recommended for production due to security risks. Trusting your CA is the safer approach.

Let me know if you need a step-by-step for your specific setup.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[chendave]

I found the error is thrown here api/core/plugin/impl/base.py:

 41 class BasePluginClient:
 42     def _request(
 43         self,
 44         method: str,
 45         path: str,
 46         headers: dict | None = None,
 47         data: bytes | dict | str | None = None,
 48         params: dict | None = None,
 49         files: dict | None = None,
 50         stream: bool = False,
 51     ) -> requests.Response:
 52         """
 53         Make a request to the plugin daemon inner API.
 54         """
 55         url = plugin_daemon_inner_api_baseurl / path
 56         headers = headers or {}
 57         headers["X-Api-Key"] = dify_config.PLUGIN_DAEMON_KEY
 58         headers["Accept-Encoding"] = "gzip, deflate, br"
 59 
 60         if headers.get("Content-Type") == "application/json" and isinstance(data, dict):
 61             data = json.dumps(data)
 62 
 63         try:
 64             response = requests.request(
 65                 method=method, url=str(url), headers=headers, data=data, params=params, stream=stream, files=files
 66             )
 67         except requests.ConnectionError:
 68             logger.exception("Request to Plugin Daemon Service failed")
 69             raise PluginDaemonInnerError(code=-500, message="Request to Plugin Daemon Service failed")
 70 
 71         return response

Can I update the code here so that it can bypass the cert validation?

 64             response = requests.request(
 65                 method=method, url=str(url), headers=headers, data=data, params=params, stream=stream, files=files
 66             )

[chendave]

I want to disabling SSL verification globally (e.g., by patching the plugin-daemon code to set verify=False), please tell me how? @dosu

[dosubot[bot]]

To disable SSL verification globally in the plugin-daemon, edit the requests call in BasePluginClient._request (in api/core/plugin/impl/base.py) to add verify=False:

response = requests.request(
    method=method, url=str(url), headers=headers, data=data, params=params, stream=stream, files=files, verify=False
)

After making this change, you need to rebuild the plugin-daemon Docker image. The plugin-daemon code and Dockerfile are not in the main Dify repo—they're in the langgenius/dify-plugin-daemon repository. Clone that repo, apply your patch, then build and tag the image, for example:

docker build -t dify-plugin-daemon:ssl-bypass .

In your main Dify deployment, update the plugin_daemon service in docker-compose.yaml to use your new image tag:

plugin_daemon:
  image: dify-plugin-daemon:ssl-bypass
  ...

Then restart the service:

docker compose down
docker compose up -d

Disabling SSL verification globally exposes you to man-in-the-middle attacks—only do this in a trusted environment. For production, it's safer to mount your CA and set REQUESTS_CA_BUNDLE instead reference.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[chendave]

okay, this issue has finally solved, I believe the code base should be updated a little bit.

here is the rootcause,
by default, python is not pointing to the right system certs directory in this container "plugin_daemon"

• I must copied the local ca certs into /usr/local/share/ca-certificates inside the containers
• run "/usr/sbin/update-ca-certificates" inside the container
• config this env in the docker-compose.yaml for "plugin_daemon" container: REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
• docker compose down and then up again.