Aider-AI
Add an option to skip SSL verification for users behind firewalls
Issue
Per twitter thread:
https://x.com/Liu_eroteme/status/1800186374039187525
Version and model info
No response
I change in ..\Lib\site-packages\httpx_transports\default.py change lines ssl_context = create_ssl_context(verify=False: Verify to False. ( lines 136 and 277)
I just added a --no-verify-ssl option, which disables it per the litellm docs:
https://docs.litellm.ai/docs/providers/openai#set-ssl_verifyfalse
I'm going to close this issue for now, but feel free to add a comment here and I will re-open or file a new issue any time.
Installing collected packages: aider-chat Attempting uninstall: aider-chat Found existing installation: aider-chat 0.38.0 Uninstalling aider-chat-0.38.0: Successfully uninstalled aider-chat-0.38.0 Successfully installed aider-chat-0.39.0 <-----------------<<
aider: error: unrecognized arguments: --no-verify-ssl
The change is available in the main branch. You can get it by installing the latest version from github:
python -m pip install --upgrade git+https://github.com/paul-gauthier/aider.git
If you have a chance to try it, let me know if it works better for you.
aider --git --browser --no-auto-commits --opus --no-verify-ssl
CONTROL-C to exit... Watching for file changes.
You can now view your Streamlit app in your browser.
Local URL: http://localhost:8501 Network URL: http://192.168.1.7:8501
Error checking pypi for new version: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /pypi/aider-chat/json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))) Aider v0.40.2-dev Models: claude-3-opus-20240229 with diff edit format, weak model claude-3-haiku-20240307 Git repo: .git with 2 files Repo-map: using 1024 tokens litellm.APIConnectionError: HTTPSConnectionPool(host='api.anthropic.com', port=443): Max retries exceeded with url: /v1/messages (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))
Thanks for reporting this regression. It should be fixed in the main branch.
The change is available in the main branch. You can get it by installing the latest version from github:
python -m pip install --upgrade git+https://github.com/paul-gauthier/aider.git
If you have a chance to try it, let me know if it works better for you.
I'm going to close this issue for now, but feel free to add a comment here and I will re-open or file a new issue any time.
Aiders update check does respect this option, but the anthropic API does not:
> aider --no-verify-ssl
Aider v0.54.7
Main model: claude-3-5-sonnet-20240620 with diff edit format, infinite output
Weak model: claude-3-haiku-20240307
Git repo: .git with 7 files
Repo-map: using 1024 tokens, auto refresh
Use /help <question> for help, run "aider --help" to see cmd line args
───────────────────────────────────────────────────────────────────────────────────────────────────────────────
> test!
litellm.InternalServerError: AnthropicException - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self-signed certificate in certificate chain (_ssl.c:1007). Handle with `litellm.InternalServerError`.
Retrying in 0.2 seconds...
litellm.InternalServerError: AnthropicException - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self-signed certificate in certificate chain (_ssl.c:1007). Handle with `litellm.InternalServerError`.
Retrying in 0.5 seconds...
litellm.InternalServerError: AnthropicException - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self-signed certificate in certificate chain (_ssl.c:1007). Handle with `litellm.InternalServerError`.
Retrying in 1.0 seconds...
^C again to exit
───────────────────────────────────────────────────────────────────────────────────────────────────────────────
>
Got below error too while using gemini:
litellm.APIConnectionError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)
0.56.0, and making a change to site-packages\httpx_transports\default.py works, but need some retries sometimes.
The fix is available in the main branch. You can get it by installing the latest version from github:
aider --install-main-branch
# or...
python -m pip install --upgrade git+https://github.com/paul-gauthier/aider.git
If you have a chance to try it, let me know if it works better for you.
/ I'm going to close this issue for now, but feel free to add a comment here and I will re-open. Or feel free to file a new issue any time.
I'm still hitting this with 0.59.1:
aider --model ollama/llama3.1:latest --no-verify-ssl
──────────────────────────────────
Aider v0.59.1
Model: ollama/llama3.1:latest with whole edit format
──────────────────────────────────
> Hello
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
Retrying in 0.2 seconds...
I'm attempting to connect to a company internal OpenWebUI instance with a self signed certificate, using
OLLAMA_API_BASE = https://myaiservice.domain.com/ollama
aider --model ollama_chat/llama3.1:8b --no-verify-ssl Aider v0.65.2.dev75+g37854156 Model: ollama_chat/llama3.1:8b with whole edit format Git repo: .git with 8 files Repo-map: disabled VSCode terminal detected, pretty output has been disabled. Use /help
for help, run "aider --help" to see cmd line args
why is the sky blue ?
File "/home/vscode/.local/lib/python3.12/site-packages/httpcore/_exceptions.py", line 14, in map_exceptions raise to_exc(exc) from exc httpcore.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
The above exception was the direct cause of the following exception:
Traceback (most recent call last): File "/home/vscode/.local/lib/python3.12/site-packages/aider/coders/base_coder.py", line 1215, in send_message yield from self.send(messages, functions=self.functions) File "/home/vscode/.local/lib/python3.12/site-packages/aider/coders/base_coder.py", line 1532, in send yield from self.show_send_output_stream(completion) File "/home/vscode/.local/lib/python3.12/site-packages/aider/coders/base_coder.py", line 1599, in show_send_output_stream for chunk in completion: ^^^^^^^^^^ File "/home/vscode/.local/lib/python3.12/site-packages/litellm/llms/ollama_chat.py", line 392, in ollama_completion_stream with httpx.stream(**_request) as response: ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/contextlib.py", line 137, in enter return next(self.gen) ^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_api.py", line 172, in stream with client.stream( ^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/contextlib.py", line 137, in enter return next(self.gen) ^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_client.py", line 880, in stream response = self.send( ^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_client.py", line 926, in send response = self._send_handling_auth( ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_client.py", line 954, in _send_handling_auth response = self._send_handling_redirects( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_client.py", line 991, in _send_handling_redirects response = self._send_single_request(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_client.py", line 1027, in _send_single_request response = transport.handle_request(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_transports/default.py", line 235, in handle_request with map_httpcore_exceptions(): ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/python/3.12.7/lib/python3.12/contextlib.py", line 158, in exit self.gen.throw(value) File "/usr/local/python/3.12.7/lib/python3.12/site-packages/httpx/_transports/default.py", line 89, in map_httpcore_exceptions raise mapped_exc(message) from exc httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
This is a litellm bug for Ollama models.
https://github.com/BerriAI/litellm/issues/6499
We need them to address it or provide guidance.
This is waiting on litellm lookin at my PR: https://github.com/BerriAI/litellm/pull/7028
Using aider --no-verify-ssl seems to work now for everything except ollama_chat/ models. Even ollama/ models work.
I wonder if the problem with ollama_chat/ is related to: https://github.com/BerriAI/litellm/issues/8333
It looks like the latest version of Aider (0.74.2) no longer respects the --no-verify-ssl option.
I've been using Aider for a few months and recently set up a new MacBook. Since I work within a company network, I need to disable SSL verification. I enabled verify-ssl: false in .aider.conf.yaml and also tried launching Aider with:
aider --cache-prompts --no-stream --no-verify-ssl --sonnet --anthropic-api-key ***
I'm using the Claude 3.5 Sonnet model. On my new MacBook, Aider fails with an SSL certificate verification error. To verify, I tested the same setup on my old MacBook, where Aider v0.73.x worked fine. However, after upgrading to v0.74.2, it stopped working there as well.
Aider starts successfully, but when sending a prompt, I get this error:
litellm.InternalServerError: AnthropicException - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000). Handle with 'litellm.InternalServerError'.
Is this a known issue in v0.74.2, or is there a configuration change I may have missed?
It looks like the latest version of Aider (0.74.2) no longer respects the --no-verify-ssl option.
I've been using Aider for a few months and recently set up a new MacBook. Since I work within a company network, I need to disable SSL verification. I enabled verify-ssl: false in .aider.conf.yaml and also tried launching Aider with:
aider --cache-prompts --no-stream --no-verify-ssl --sonnet --anthropic-api-key ***I'm using the Claude 3.5 Sonnet model. On my new MacBook, Aider fails with an SSL certificate verification error. To verify, I tested the same setup on my old MacBook, where Aider v0.73.x worked fine. However, after upgrading to v0.74.2, it stopped working there as well.
Aider starts successfully, but when sending a prompt, I get this error:
litellm.InternalServerError: AnthropicException - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000). Handle with 'litellm.InternalServerError'.Is this a known issue in v0.74.2, or is there a configuration change I may have missed?
i have the same problem after update
This is still happening in 0.75.1 (on Windows 11 Pro, in Powershell):
> aider --no-verify-ssl --model sonnet
────────────────────────────────────────────────────────────────────────────────────────────────────────────
HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /BerriAI/litellm/main/model_prices_and_context_window.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))
Aider v0.75.1
...
In my case, where the problem is caused by corporate use of ZScaler, I found that this was a step in the right direction:
> python -m pip install pip-system-certs
Now in VS Code's Terminal (Powershell, Windows 11):
> aider --model sonnet
─────────────────────────────────────────────────────────────────────────────────────────
Aider v0.75.1
Main model: anthropic/claude-3-7-sonnet-20250219 with diff edit format, infinite output
Weak model: anthropic/claude-3-5-haiku-20241022
Git repo: .git with 13 files
Repo-map: using 4096 tokens, auto refresh
─────────────────────────────────────────────────────────────────────────────────────────
>
Then when I tried to use the LLM, I got an error from litellm:
litellm.InternalServerError: AnthropicException - [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:1000). Handle
with `litellm.InternalServerError`.
The API provider's servers are down or overloaded.
Retrying in 0.2 seconds...
...
...so I still needed the --no-verify-ssl option.
With pip-system-certs installed and the --no-verify-ssl option to aider, everything seems to be working.
I worked around this by creating an nginx proxy:
events {}
http {
server {
listen 80;
server_name ollama.local;
location / {
proxy_pass https://org-internal-ollama;
proxy_set_header Authorization "Bearer eyJh....";
proxy_ssl_verify off; # Disable SSL verification for self-signed certificates
}
}
}
Whilst not entirely the same issue, I am not only sat behind a firewall but we use internal mirrors for "approved" software installs. As such we have our own internal "pypi" mirror updated independently.
The check_version function directly calls the public mirror (https://github.com/Aider-AI/aider/blob/main/aider/versioncheck.py#L78)
To install I updated the PIP_INDEX_URL and UV_DEFAULT_INDEX environment variables, could the check_version be updated to be configured in a similar way ?
Adding my experience - --no-verify-ssl didn't do anything for me. Installing in the same venv (pipx inject aider-chat pip-system-certs) did work.
