Model provider network troubleshooting
Use this page when a model works from one network but Jarvis cannot reach it from a corporate network, managed laptop, or self-hosted provider endpoint.
What to configure
Section titled “What to configure”For a chat model provider, keep these values explicit:
| Field | What to enter |
|---|---|
| Provider endpoint | An HTTPS OpenAI-compatible endpoint, usually ending in /v1. |
| API key | The provider key. If editing an existing provider, leave the key blank only when the UI says that keeps the current key. |
| Model ID | The exact model identifier accepted by that provider. |
| Wire API | Leave the default unless the provider specifically requires a different API shape. |
Prefer a DNS name on HTTPS port 443, for example
https://<provider-host>/v1. Avoid bare IP addresses and non-standard ports
on managed corporate networks.
Corporate TLS inspection
Section titled “Corporate TLS inspection”Symptoms:
- Jarvis logs include
CERTIFICATE_VERIFY_FAILED. - The error mentions
self-signed certificate in certificate chain. - The UI reports a connection failure even though the provider is reachable from a browser or managed command-line tool.
Root cause:
Many corporate networks terminate outbound TLS and re-sign traffic with a
company root certificate. Python packages commonly use the certifi certificate
bundle by default, which may not include that company root certificate.
What Jarvis does:
Jarvis enables the operating system trust store for Python network calls, so a
company root certificate installed in Windows, macOS, or Linux can be trusted by
the backend. This means you normally do not need to set SSL_CERT_FILE or
maintain a separate certificate bundle for Jarvis model calls.
What to check:
- Confirm the company root certificate is installed in the operating system trust store.
- Restart Jarvis so the backend starts with the current trust configuration.
- Retry the model from the Jarvis UI.
- If you need to compare behavior with the default Python certificate bundle,
start Jarvis with
JARVIS_DISABLE_SYSTEM_CA=1.
Proxies that block ports or IP addresses
Section titled “Proxies that block ports or IP addresses”Symptoms:
- Requests time out.
- Requests through the proxy return an HTML or
302proxy page. - A provider URL works from a server, but not from a managed laptop.
Root cause:
Corporate outbound proxies often allow HTTPS on port 443 but block direct
connections to high ports or bare IP addresses. A self-hosted provider may have
both an internal high-port URL and a public HTTPS DNS name; the high-port URL is
usually the wrong choice for corporate networks.
Fix:
Use the provider’s HTTPS DNS endpoint on port 443:
https://<provider-host>/v1Do not configure local-only, private, or high-port service URLs unless the machine running Jarvis can actually reach them.
WAF blocks OpenAI SDK user agents
Section titled “WAF blocks OpenAI SDK user agents”Symptoms:
- Jarvis receives
403orPermissionDeniedError. - A simple
curlrequest to the same endpoint and key succeeds. - The provider is self-hosted or fronted by a web application firewall.
Root cause:
Some WAF rules block the default user agent used by OpenAI SDK clients even when the endpoint itself is valid.
What Jarvis does:
Jarvis sets a neutral User-Agent for OpenAI-compatible outbound calls. If the
request is still blocked, inspect the provider-side WAF logs and allow the
Jarvis traffic pattern explicitly.
Verify an endpoint manually
Section titled “Verify an endpoint manually”From Windows PowerShell, prefer curl.exe so PowerShell does not alias the
command:
curl.exe -sS --ssl-no-revoke ` https://<provider-host>/v1/chat/completions ` -H "Authorization: Bearer <KEY>" ` -H "Content-Type: application/json" ` -d '{"model":"<model-id>","messages":[{"role":"user","content":"hi"}],"max_tokens":5}'If your network requires an explicit proxy, add the proxy option supplied by your network administrator:
curl.exe -sS --ssl-no-revoke -x http://<proxy-host>:<proxy-port> ` https://<provider-host>/v1/chat/completions ` -H "Authorization: Bearer <KEY>" ` -H "Content-Type: application/json" ` -d '{"model":"<model-id>","messages":[{"role":"user","content":"hi"}],"max_tokens":5}'PowerShell quoting notes:
- Use
curl.exe, notcurl. - Keep the JSON body in single quotes, or put it in a file and pass
-d @body.json. - Do not use backslash-escaped JSON strings such as
\"in PowerShell.
Quick reference
Section titled “Quick reference”| Symptom | Likely cause | First action |
|---|---|---|
CERTIFICATE_VERIFY_FAILED with a self-signed chain |
Corporate TLS inspection certificate is not trusted by Python | Confirm the company root CA is installed in the OS trust store and restart Jarvis. |
Timeout or proxy 302 page |
Proxy blocks bare IPs or non-standard ports | Switch to an HTTPS DNS endpoint on port 443. |
403 or PermissionDeniedError, but curl succeeds |
WAF rule blocks SDK-like traffic | Check provider-side WAF logs and allow Jarvis requests. |
401 or Unauthorized |
Wrong or expired API key | Re-enter the provider key. |
| Model does not appear or provider rejects it | Model ID is not valid for that provider API | Create a provider entry with the exact model ID supported by the endpoint. |
Desktop package note
Section titled “Desktop package note”Installed desktop builds run the packaged backend sidecar. Source changes do not affect an already installed app until a new desktop package is installed or delivered through the updater.