Guides
Start typing to search…

SSL Certificate

When deploying models on your own infrastructure, you may want to use your own SSL certificate or certificate chain for securing your model endpoint. However, as this certificate is not part the trusted root CA store, all request that try to access the model endpoint will fail. We can address this issue in two different ways:

Option 1: Register your SSL Certificate

To register your certificate, you can pass it in the tls_context argument when registering a new model :

curl --request POST \
     --url http://127.0.0.1:5005/api/model-providers/model_endpoints/models \
     --header 'X-LatticeFlow-API-Key: $LF_API_KEY' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "modality": "text",
  "task": "chat_completion",
  "key": "opt-125m",
  "api_key": "<YOUR_API_KEY>",
  "model_adapter_key": "openai",
  "url": "http://host.docker.internal/v1",
  "tls_context": {"validation_context": {"trusted_ca": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYxekNDQTcrZ0F3SUJBZ0lVUHFXdmVuTWJqeCtmeGplL0VxN1ZCZEh4eG5rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2V6RUxNQWtHQTFVRUJoTUNXRmd4RWpBUUJnTlZCQWdNQ1ZOMFlYUmxUbUZ0WlRFUk1BOEdBMVVFQnd3SQpRMmwwZVU1aGJXVXhGREFTQmdOVkJBb01DME52YlhCaGJubE9ZVzFsTVJzd0dRWURWUVFMREJKRGIyMXdZVzU1ClUyVmpkR2x2Yms1aGJXVXhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkREFlRncweU5UQTBNREV3T0RFMk5UQmEKRncwek5UQXpNekF3T0RFMk5UQmFNSHN4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aApiV1V4RVRBUEJnTlZCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHCkExVUVDd3dTUTI5dGNHRnVlVk5sWTNScGIyNU9ZVzFsTVJJd0VBWURWUVFEREFsc2IyTmhiR2h2YzNRd2dnSWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFEUXRJVkJBbFZRTmJnbkVPS0hVb0JIdENNQgpBUGNlK2tQTGloR3M5dTdCK3lzd1hSZ1VrRDZlSi9haEI5UWhxOVpUUVlwcnhoMXUyVFhVVE9zZ3NHdmRyM2haCjY0L3hlUFVmcDBKdVdkdXM1TXZIUXRvVm9qZTl6TStCZ2VYMURGRXBlUWRUTk4wNmtheTBEQ1QvSTk3MUVpOFAKRFlMZWxra3dqQ2pJY2F6UzNRZmhpdHBOQ3pyRWQvaXlEdnJsMVlKNjFNUEhPcFNmTWlpcFF2OFJmSzZnK3BwRwp6dXNBTHRsMWlQQnMxL2piSWpxZ3haOGFFWi9ZUFJjc2tUekR0aUVieFhBc1pQU20zQkZJRnlXSFdLSEJDaHpKCkJOZDZoNGNoUFAvS3ZqYnJYNExEMXNwdGgwbnFhNmhzVHZWbnJYQXdzSlZleTlrckg2VldncHpRekFlZGFXcXcKSCtEOENFN0RqMzk1TkpHdldOSVVNUDYxSytkR3FFY3d6ODRhWVk1eWFObnVKL3M1YnZsSXNsSGtFck5QYVlPWQp4U3NidVhiRkNuMG1MTTd5TzJUM09LR1paQThYMVVzcCtzZVMzd3dUN1Y4bHIxMmZCZnJ2S0hoMmk1QmljbjJPCmdHYkw3L0Nmak5XQ2ptU3cvZTg0cE5oQ2VWTGI1TXd6UGt1SCtJV2x3STU2cEVtOGcrZDRTN0FOZVcwU0ZTNUkKeklzUkZadktaeHFhWkJhNXdJTVNQTjV2c0x4Z0V0NG82b1gvUnY4aUZSUERDZXRva3N2SUVVMUZGRUcwR0xEOApaVXZrcy94MVBFQjhzWnRTRTZuZkhlejFadytCRU8zd0FsTGpPOXUyWjJyelBtUWVCcEJ2UFBCSUNIbC9nMEl4ClJOVVlmOHNlTUFQUWpCbmVLUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVMy9EQmloNDU5Yno3ZjdqeFA4ZEkKQ3dtdi9SQXdId1lEVlIwakJCZ3dGb0FVMy9EQmloNDU5Yno3ZjdqeFA4ZElDd212L1JBd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFuZ084eW56SWxaSEVOczl3SzJSN1pidkREYzZ3ClVjWVJNNHVZSVhhQklacThCUDgvbERoV09aTHdNamorTk1oK01tdnVGTitNbnlsYzRBTTl3bzlwYXdNdDdqa28KK0ZUU2NGYU9UVEF3TnlNa1ppN01mZ29CTUpqbUlqMUVzYWxUaTVhTThqRXhKMU5HRk9aVjFFNzExekI3dUxQUgptaG90NkZYL0RrK3hGUkRYZXcrOG5sTGc5eGUwZ3BhUDhJMlFkOU5LZTZKSEJFQjBWNDJDZmMvR0lYbkVoMEtnCk9ocWNBa1M1UVRvbVk1TXFiUTZMWVlmbDV5SGhiZHBqSjNER0FBTVEzRldqTmk0bDh3d0VUc2Zwa0srcFBzY1AKUVk1djAwR3cxNDdZQk50cFB3d0lTdEdRL0lRUGRHblFPdnBDM2FzcmV4dk5BVmozd0RWTFkybEVtUTMvMFU2VQp0SUVhK1ZOM28yMXZaNUw2TStvdkIvN1h6Q1U5anpJQW1VYUZhYWFxTmtvOGNmcFlkWVI5MVBDSVZ0Vm9lb0ZyClNSV2M2dFdRNDRoT0s4YzAvQWdxUVNNUFZVUHhmTTJFYU11a21zUU1mbE05ZjVlTmRhY0E5clB5VU5PcDRyMkQKRFdxb1hXZEVIaWoxbm5KVjZHdStTcDFZcm5aZTc4eEZtakxnK1FLT2lBOENVUm92dDhlNVQ3MDNPclBrQlp6eQo4T0tubEpGamF6bllqa2F2d0l3bUEvM2N4SXN5dGRvMXNjT3NVZ2lGdHY1SmlLN3BTd2p2eUxtS0RRZjhtazZHClZiWDV2UTZNdWROK1BXbEYyV3ZFbVZkVkwyR3ZHbTQxQzF2NWtubzI4OXczQjRjQzJTc2ZXZFRRV3FNUzBXTjQKaXc2TEFpL1A2UTJ4Wk9FPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="}},
  "name": "opt-125m"
}
'

The value for trusted_ca must be a base64-encoded list of PEM certificates. If more than one certificate is given (e.g. if a certificate chain is used), the certificates must be listed as follows:

-----BEGIN CERTIFICATE-----
<CERT 1>
-----END CERTIFICATE----

-----BEGIN CERTIFICATE-----
<CERT 2>
-----END CERTIFICATE----

One way to obtain such representation of your certificate(s) is by running cat cert.pem | base64 -w 0

Option 2: Disable SSL Certificate Verification (Not Recommended)

Alternatively, if you are in a development environment and just need a quick fix, you can disable SSL certificate verification. To do so, register the model using:

curl --request POST \
     --url http://127.0.0.1:5005/api/model-providers/model_endpoints/models \
     --header 'X-LatticeFlow-API-Key: $LF_API_KEY' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "modality": "text",
  "task": "chat_completion",
  "key": "opt-125m",
  "api_key": "<YOUR_API_KEY>",
  "model_adapter_key": "openai",
  "url": "http://host.docker.internal/v1",
  "tls_context": {"validation_context": {"trust_chain_verification": "accept_untrusted"}},
  "name": "opt-125m"
}
'

Updated about 1 month ago