Self hosted Supabase - support self signed certification connection

[Brightones]

Archon Version

v0.1.0

Bug Severity

🔴 Critical - App unusable

Bug Description

I cant get anchor-server to connect to self hosted supabase with self signed certificate.

Steps to Reproduce

Self hosted supabase on docker with self signed certificate

Update .env with supabase URL and API

Run docker compose up -d from anchor git folder

Expected Behavior

anchor-server container to start successfully

Actual Behavior

anchor-server fail to start - log attached

docker-log.txt

Error Details (if any)

2025-09-05 21:35:02.553 | INFO:     Will watch for changes in these directories: ['/app']
2025-09-05 21:35:02.553 | INFO:     Uvicorn running on http://0.0.0.0:8181 (Press CTRL+C to quit)
2025-09-05 21:35:02.553 | INFO:     Started reloader process [1] using WatchFiles
2025-09-05 21:35:13.397 | INFO:     Started server process [8]
2025-09-05 21:35:13.397 | INFO:     Waiting for application startup.
2025-09-05 21:35:13.519 | Error loading credentials: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1010)
2025-09-05 21:35:13.519 | ❌ Failed to start backend: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1010)
2025-09-05 21:35:13.523 | ERROR:    Traceback (most recent call last):
2025-09-05 21:35:13.523 |   File "/venv/lib/python3.12/site-packages/httpx/_transports/default.py", line 101, in map_httpcore_exceptions
2025-09-05 21:35:13.523 |     yield
2025-09-05 21:35:13.523 |   File "/venv/lib/python3.12/site-packages/httpx/_transports/default.py", line 250, in handle_request
2025-09-05 21:35:13.524 |     resp = self._pool.handle_request(req)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_sync/connection_pool.py", line 256, in handle_request
2025-09-05 21:35:13.524 |     raise exc from None
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_sync/connection_pool.py", line 236, in handle_request
2025-09-05 21:35:13.524 |     response = connection.handle_request(
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_sync/connection.py", line 101, in handle_request
2025-09-05 21:35:13.524 |     raise exc
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_sync/connection.py", line 78, in handle_request
2025-09-05 21:35:13.524 |     stream = self._connect(request)
2025-09-05 21:35:13.524 |              ^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_sync/connection.py", line 156, in _connect
2025-09-05 21:35:13.524 |     stream = stream.start_tls(**kwargs)
2025-09-05 21:35:13.524 |              ^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_backends/sync.py", line 154, in start_tls
2025-09-05 21:35:13.524 |     with map_exceptions(exc_map):
2025-09-05 21:35:13.524 |          ^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 158, in __exit__
2025-09-05 21:35:13.524 |     self.gen.throw(value)
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpcore/_exceptions.py", line 14, in map_exceptions
2025-09-05 21:35:13.524 |     raise to_exc(exc) from exc
2025-09-05 21:35:13.524 | httpcore.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1010)
2025-09-05 21:35:13.524 | 
2025-09-05 21:35:13.524 | The above exception was the direct cause of the following exception:
2025-09-05 21:35:13.524 | 
2025-09-05 21:35:13.524 | Traceback (most recent call last):
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/starlette/routing.py", line 694, in lifespan
2025-09-05 21:35:13.524 |     async with self.lifespan_context(app) as maybe_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/fastapi/routing.py", line 134, in merged_lifespan
2025-09-05 21:35:13.524 |     async with original_context(app) as maybe_original_state:
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 210, in __aenter__
2025-09-05 21:35:13.524 |     return await anext(self.gen)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/app/src/server/main.py", line 80, in lifespan
2025-09-05 21:35:13.524 |     await initialize_credentials()
2025-09-05 21:35:13.524 |   File "/app/src/server/services/credential_service.py", line 496, in initialize_credentials
2025-09-05 21:35:13.524 |     await credential_service.load_all_credentials()
2025-09-05 21:35:13.524 |   File "/app/src/server/services/credential_service.py", line 130, in load_all_credentials
2025-09-05 21:35:13.524 |     result = supabase.table("archon_settings").select("*").execute()
2025-09-05 21:35:13.524 |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/postgrest/_sync/request_builder.py", line 57, in execute
2025-09-05 21:35:13.524 |     r = self.session.request(
2025-09-05 21:35:13.524 |         ^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_client.py", line 825, in request
2025-09-05 21:35:13.524 |     return self.send(request, auth=auth, follow_redirects=follow_redirects)
2025-09-05 21:35:13.524 |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_client.py", line 914, in send
2025-09-05 21:35:13.524 |     response = self._send_handling_auth(
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_client.py", line 942, in _send_handling_auth
2025-09-05 21:35:13.524 |     response = self._send_handling_redirects(
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_client.py", line 979, in _send_handling_redirects
2025-09-05 21:35:13.524 |     response = self._send_single_request(request)
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_client.py", line 1014, in _send_single_request
2025-09-05 21:35:13.524 |     response = transport.handle_request(request)
2025-09-05 21:35:13.524 |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_transports/default.py", line 249, in handle_request
2025-09-05 21:35:13.524 |     with map_httpcore_exceptions():
2025-09-05 21:35:13.524 |          ^^^^^^^^^^^^^^^^^^^^^^^^^
2025-09-05 21:35:13.524 |   File "/usr/local/lib/python3.12/contextlib.py", line 158, in __exit__
2025-09-05 21:35:13.524 |     self.gen.throw(value)
2025-09-05 21:35:13.524 |   File "/venv/lib/python3.12/site-packages/httpx/_transports/default.py", line 118, in map_httpcore_exceptions
2025-09-05 21:35:13.524 |     raise mapped_exc(message) from exc
2025-09-05 21:35:13.524 | httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1010)
2025-09-05 21:35:13.524 | 
2025-09-05 21:35:13.524 | ERROR:    Application startup failed. Exiting.

Affected Component

🐳 Docker / Infrastructure

Browser & OS

Windows 11 / Docker

Additional Context

No response

Service Status (check all that are working)

• 🖥️ Frontend UI (http://localhost:3737)
• ⚙️ Main Server (http://localhost:8181)
• 🔗 MCP Service (localhost:8051)
• 🤖 Agents Service (http://localhost:8052)
• 💾 Supabase Database (connected)

[leex279]

Hi, self-signed SSL certs / HTTPS is not supported at the moment but will come in the future, so this is not a BUG. Its a missing feature.

Here some more details (attachments).
@coleam00 leave it on you to create a proper feature request if you like :)

cloud-vs-selfhosted-ssl-analysis.md
ssl-certificate-issue-analysis.md

[coleam00]

I'll update this and turn it into a feature request! @leex279

[Brightones]

Thanks Leex279, top knot work. do we have any guideline how to join the team to work on issue or feature ?

[leex279]

@Brightones you can find the contribution guidelines here: https://github.com/coleam00/Archon/blob/main/CONTRIBUTING.md

Feel free to create a PR to fix this.

[kennyth01]

hi @coleam00 @leex279 , do we have a workaround on this?

[leoric-crown]

hi @coleam00 @leex279 , do we have a workaround on this?

Won't a cloudflared tunnel be a valid workaround? cloudflare CAs are trusted on all hosts, no?

[leex279]

I think it must not be called a workaround to use cloudflare or also in your internal network just an reverse proxy like nginx, caddy etc. to manage the certs and connection. I think it is more best practice as building it into the webapp directly. At least in my view.

[leoric-crown]

Ah I thought you were running supabase on an external host. Yes, Caddy would be a workaround in a local-only context.

And yes, it's a workaround, not a solution.