langflow icon indicating copy to clipboard operation
langflow copied to clipboard
verified publisher icon langflow-ai

Impossible to use behind a proxy with a custom certificate (Cloudflare Zero Trust)

Open tristanbes opened this issue 1 year ago • 4 comments

Bug Description

Hello,

I'm using my Mac with a corporate Zero Trust solution (Cloudflare Zero Trust) that requires to add a custom certificate in the keychain and some specific programms (https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/).

The console is spammed with messages like

service - Unexpected error occurred: [SSL: service.py:76 CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

It's not possible to run anything that requires http calls

Reproduction

I tried running the image with:

docker run -it --rm -v ~/workspace/Cloudflare_CA.pem:/tmp/cf.pem -e REQUESTS_CA_BUNDLE=/tmp/cf.pem -p 7860:7860 langflowai/langflow:latest

But the project doesn't seem to use the certificate when doing external calls.

Expected behavior

Who can help?

No response

Operating System

MacOS 14.6.1

Langflow Version

v1.0.18

Python Version

None

Screenshot

CleanShot 2024-09-16 at 16 16 28@2x

Flow File

No response

tristanbes avatar Sep 16 '24 14:09 tristanbes

Langflow currently does not have built-in support for specifying custom CA certificates for SSL verification directly. However, you can try the following workaround to use your custom certificate with the httpx library, which Langflow uses for HTTP requests.

  1. Ensure the certifi package is installed:

    pip install certifi

  2. Combine the Cloudflare certificate with existing CA certificates:

    cat /path/to/cacert.pem /path/to/Cloudflare_CA.pem > /path/to/combined_ca.pem

  3. Set the REQUESTS_CA_BUNDLE environment variable:

    export REQUESTS_CA_BUNDLE=/path/to/combined_ca.pem

  4. Run the Docker container with the combined CA bundle:

    docker run -it --rm -v /path/to/combined_ca.pem:/tmp/combined_ca.pem -e REQUESTS_CA_BUNDLE=/tmp/combined_ca.pem -p 7860:7860 langflowai/langflow:latest

This should allow Langflow to use the custom certificate for SSL verification. If the issue persists, you might need to modify the httpx client configuration in the Langflow codebase to explicitly use the custom CA bundle.

For reference, the relevant code for making HTTP requests in Langflow is located in the src/backend/base/langflow/components/data/APIRequest.py file [1].

To continue talking to Dosu, mention @dosu.

dosubot[bot] avatar Sep 16 '24 14:09 dosubot[bot]

@tristanbes I think dosubot suggestion is valuable, could you try ? we're not using requests library so your workaorund is not effective

nicoloboschi avatar Sep 17 '24 11:09 nicoloboschi

My bad, I ignored the solution from the bot because to me it was like the one I used (my mistake). Right now I asked our devops to host it on the cloud because I could not afford to loose time working around it

tristanbes avatar Sep 17 '24 12:09 tristanbes

Hey @tristanbes Do you need any assistance with this case? If not, please let us know if this issue can be closed.

carlosrcoelho avatar Oct 03 '24 21:10 carlosrcoelho

Thank you for your contribution! This issue will be closed. If you have any questions or encounter another problem, please open a new issue and we will be ready to help you.

carlosrcoelho avatar Oct 10 '24 13:10 carlosrcoelho

For those finding this issue via search, I needed to get langflow to accept self-signed certificates that I signed with my own root CA cert, so I wanted to add the root certificate to the docker image, and this is how I attempted it:

# ./docker-compose.yaml
services:
  langflow:
    build: . # Use the Dockerfile in the current directory
    pull_policy: always               # set to 'always' when using 'latest'
    ports:
      - "7860:7860"
    depends_on:
      - postgres
    environment:
      # This variable defines where the logs, file storage, monitor data and secret keys are stored.
      - LANGFLOW_DATABASE_URL=postgresql://langflow:langflow@postgres:5432/langflow
      # accept self-signed certificates https://github.com/langflow-ai/langflow/issues/3821#issuecomment-2353068593
      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
    volumes:
      - langflow-data:/app/langflow

  postgres:
    image: postgres:16
    environment:
      POSTGRES_USER: langflow
      POSTGRES_PASSWORD: langflow
      POSTGRES_DB: langflow
    expose:
      - 5432
    volumes:
      - langflow-postgres:/var/lib/postgresql/data

volumes:
  langflow-postgres:
  langflow-data:

# ./Dockerfile
# Use the langflowai/langflow:latest image as the base
FROM langflowai/langflow:latest

# Copy your root CA certificate to the container
COPY ./certs/your-rootCA.pem /usr/local/share/ca-certificates/your-rootCA.crt

# Switch to root to update the CA store
USER root
RUN update-ca-certificates

# Switch back to the original user
USER user

Looks like since langflow is using httpx instead of requests it doesn't by default support the system trust stores or any environment variables and this is impossible to achieve as is. I will open another issue for this.

zizzfizzix avatar Jan 16 '25 02:01 zizzfizzix