Skip to content

fix backend system trust store#1700

Open
fengju0213 wants to merge 1 commit into
mainfrom
codex/fix-system-trust-store
Open

fix backend system trust store#1700
fengju0213 wants to merge 1 commit into
mainfrom
codex/fix-system-trust-store

Conversation

@fengju0213

Copy link
Copy Markdown
Collaborator

Why

Eigent Desktop's backend runs inside a bundled Python environment, so model validation can rely on Python's default CA bundle instead of the operating system trust store. On Windows, this means a remote Ollama endpoint behind HTTPS with a system-trusted private CA can still fail during CAMEL/OpenAI-compatible validation with CERTIFICATE_VERIFY_FAILED.

Fixes #1688.

What Changed

  • Add truststore to the backend dependencies and lockfile.
  • Inject the system trust store early in backend/main.py, before the app imports routers or creates provider clients, so downstream httpx/OpenAI/CAMEL calls can honor OS-trusted certificates.
  • Keep a warning fallback to the default CA bundle if trust store injection is unavailable or fails.

Validated with uv lock --check, uv run ruff check main.py, uv run python -m py_compile main.py, and a direct truststore.inject_into_ssl() smoke check.

@fengju0213 fengju0213 changed the title [codex] fix backend system trust store fix backend system trust store Jun 22, 2026
@fengju0213 fengju0213 marked this pull request as ready for review June 22, 2026 08:48
@Douglasymlai Douglasymlai added bug Something isn't working backend labels Jul 3, 2026
@Douglasymlai Douglasymlai requested a review from 4pmtong July 3, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend bug Something isn't working Review Required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] [Eigent Desktop] SSL CERTIFICATE_VERIFY_FAILED on local issuer certificate on ollama behind a kubernetes ingress

2 participants