meinGPT LogomeinGPT Docs
WebsitePlatform Login
PlatformAI Prompting GuideDeveloper DocumentationEnterprisePrivacy & Security
DataVault Deployment

Custom Certificate Authority

Configure DataVault to trust your company's internal CA certificates

This guide helps you set up DataVault in environments where SSL inspection or internal certificates are used.

When You Need This

Many companies use internal Certificate Authorities (CA) for:

  • SSL Inspection: Corporate firewalls decrypt and re-encrypt HTTPS traffic
  • Internal Services: Self-hosted SharePoint, Confluence, or other services use internal certificates

Without proper CA configuration, you may see SSL errors when:

  • Downloading embedding models from Hugging Face
  • Syncing files with rclone
  • Connecting to app.meingpt.com
  • Accessing internal data sources

Quick Setup

Step 1: Get Your CA Certificate

Ask your IT team for the company's CA certificate file. It should be in PEM or CRT format, looking like this:

-----BEGIN CERTIFICATE-----
MIIFuTCCA6GgAwIBAgIU...
-----END CERTIFICATE-----

Save it as company-ca.pem in your project folder.

Step 2: Mount the Certificate

Add the certificate file to your docker-compose.yaml:

services:
  vault:
    image: meingpt/vault:latest
    volumes:
      - ./company-ca.pem:/certs/company-ca.pem:ro

Step 3: Set the Environment Variable

Tell DataVault to use your certificate:

services:
  vault:
    environment:
      - VAULT_CUSTOM_CA_FILE=/certs/company-ca.pem

Complete Example

services:
  vault:
    image: meingpt/vault:latest
    volumes:
      - ./config/app_config.yaml:/app/vault_config.yaml:ro
      - ./company-ca.pem:/certs/company-ca.pem:ro
    environment:
      - VAULT_CONFIG_FILE_PATH=/app/vault_config.yaml
      - VAULT_CUSTOM_CA_FILE=/certs/company-ca.pem

Apply the same settings to all DataVault services: vault-search, vault-ingestion, and vault-preflight.

How It Works

When you set VAULT_CUSTOM_CA_FILE, the container automatically:

  1. Reads your CA certificate file
  2. Sets SSL_CERT_FILE for Python SSL and rclone
  3. Sets REQUESTS_CA_BUNDLE for HTTP libraries

This makes all network connections trust your company's certificates.

Verify It Works

Check the container logs after starting:

docker logs vault-search | head -n 10

You should see:

[entrypoint] SSL_CERT_FILE=/certs/company-ca.pem
[entrypoint] REQUESTS_CA_BUNDLE=/certs/company-ca.pem

Troubleshooting

"File not found" Warning

[entrypoint] WARN: VAULT_CUSTOM_CA_FILE is set but file not found

Solution: Check that:

  • The file exists on your host machine
  • The volume mount path is correct
  • The file is readable (not a directory)

Still Getting SSL Errors

Your CA file may be incomplete. Ask your IT team for a full certificate chain that includes:

  • Root CA certificate
  • Intermediate CA certificates (if any)

If you have multiple certificates, you can concatenate them into one bundle file:

cat root-ca.pem intermediate-ca.pem > company-ca.pem

Using a Certificate Directory

If you have multiple CA files in a directory, use:

environment:
  - VAULT_CUSTOM_CA_DIR=/certs/ca-dir
volumes:
  - ./ca-certificates:/certs/ca-dir:ro

Advanced: Manual Override

If you need direct control, you can set these variables yourself:

VariableUsed By
SSL_CERT_FILEPython SSL, rclone, aiohttp
REQUESTS_CA_BUNDLErequests, huggingface_hub
SSL_CERT_DIRGo x509 (directory of CA files)

If you set these variables manually, VAULT_CUSTOM_CA_FILE will not override them.

Local Deployment

Simple local DataVault setup with Hugging Face embeddings

Embedding Models

Overview and configuration of supported embedding models

On this page

When You Need ThisQuick SetupStep 1: Get Your CA CertificateStep 2: Mount the CertificateStep 3: Set the Environment VariableComplete ExampleHow It WorksVerify It WorksTroubleshooting"File not found" WarningStill Getting SSL ErrorsUsing a Certificate DirectoryAdvanced: Manual Override