Open erincetin opened 3 months ago
@erincetin, thanks for reporting this. We've recently refactored the HttpClient and started using httpx
, although our SSL-related tests seem to be passing. I will investigate further, suggest an approach, or create a PR to fix the problem.
@tazarov Thanks for your reply. This was my first issue in Github, glad I contributed.
For the meantime, I want to downgrade Chromadb for my client-side. Do you know the latest version of Chromadb that did not use httpx for httpclient?
Tested versions from 0.5.3 to 0.4.12 with tox. Latest version that seems to work fine is 0.4.14, while from 0.4.15 to 0.5.3 fails. I have used the reproduction script that I have added above.
@erincetin, I remember that when adding this feature to Chroma client we faced the exact same issue.
The root cause why the below won't work (assuming both self-signed cert or private PKI):
client = chromadb.HttpClient(host="https://localhost", ssl=True, settings=Settings(chroma_server_ssl_verify='certs-no-san/servercert.pem')) # Does not work again
would be the lack of SAN (Subject Alternative Names). We have a config example here - https://github.com/chroma-core/chroma/blob/main/chromadb/test/openssl.cnf.
The second example you have is expected to fail with self-signed or private PKI.
client = chromadb.HttpClient(host="https://localhost", ssl=False) # Does not work, gives self-signed certificate error
I've tested certs with both SAN and without SAN and it works as intended with the SAN.
Try generating certs with this command:
openssl req -x509 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem -days 365 -nodes -subj "/CN=localhost" -config "chromadb/test/openssl.cnf"
Note: Update/replace the
openssl.cnf
as needed.
@erincetin, did adding SAN to your SSL cert solve the issue?
@tazarov, unfortunately I am using a corporate network for my project and they are issuing their certificates. So I cannot add SAN as I am not the person who creates or administers it.
@erincetin, this is super strange. In corporate SANs, this should be an essential requirement as they increase security. For example, k8s won't work with certs without SANs.
It is fine for the PKI to issue certs; however, I imagine that someone initiates the process with a CSR; if that is in your control, then SANs can be added to the CSR, too. Let me know if you need help with that.
What happened?
While using client-server mode of the Chroma, the HTTPClient does not work with self-signed certificates. Disabling ssl verification does not work either.
My chroma server is behind the OpenShift reverse proxy. The certificate that I am using is for this OpenShift cluster, and it works for other applications.
For example, below raw requests does work as expected:
However, using the HttpClient does not work as expected for ssl=False and certificate passing.
Reproduction Steps:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'
Result of the reproduction script is below:
Versions
Chroma v0.5.4, Python3.11, CentOS 8
Reproduction: Chroma v0.5.4, Python3.11, Windows 10
Relevant log output