Skip to content

Model provider network troubleshooting

Use this page when a model works from one network but Jarvis cannot reach it from a corporate network, managed laptop, or self-hosted provider endpoint.

For a chat model provider, keep these values explicit:

Field What to enter
Provider endpoint An HTTPS OpenAI-compatible endpoint, usually ending in /v1.
API key The provider key. If editing an existing provider, leave the key blank only when the UI says that keeps the current key.
Model ID The exact model identifier accepted by that provider.
Wire API Leave the default unless the provider specifically requires a different API shape.

Prefer a DNS name on HTTPS port 443, for example https://<provider-host>/v1. Avoid bare IP addresses and non-standard ports on managed corporate networks.

Symptoms:

  • Jarvis logs include CERTIFICATE_VERIFY_FAILED.
  • The error mentions self-signed certificate in certificate chain.
  • The UI reports a connection failure even though the provider is reachable from a browser or managed command-line tool.

Root cause:

Many corporate networks terminate outbound TLS and re-sign traffic with a company root certificate. Python packages commonly use the certifi certificate bundle by default, which may not include that company root certificate.

What Jarvis does:

Jarvis enables the operating system trust store for Python network calls, so a company root certificate installed in Windows, macOS, or Linux can be trusted by the backend. This means you normally do not need to set SSL_CERT_FILE or maintain a separate certificate bundle for Jarvis model calls.

What to check:

  1. Confirm the company root certificate is installed in the operating system trust store.
  2. Restart Jarvis so the backend starts with the current trust configuration.
  3. Retry the model from the Jarvis UI.
  4. If you need to compare behavior with the default Python certificate bundle, start Jarvis with JARVIS_DISABLE_SYSTEM_CA=1.

Symptoms:

  • Requests time out.
  • Requests through the proxy return an HTML or 302 proxy page.
  • A provider URL works from a server, but not from a managed laptop.

Root cause:

Corporate outbound proxies often allow HTTPS on port 443 but block direct connections to high ports or bare IP addresses. A self-hosted provider may have both an internal high-port URL and a public HTTPS DNS name; the high-port URL is usually the wrong choice for corporate networks.

Fix:

Use the provider’s HTTPS DNS endpoint on port 443:

https://<provider-host>/v1

Do not configure local-only, private, or high-port service URLs unless the machine running Jarvis can actually reach them.

Symptoms:

  • Jarvis receives 403 or PermissionDeniedError.
  • A simple curl request to the same endpoint and key succeeds.
  • The provider is self-hosted or fronted by a web application firewall.

Root cause:

Some WAF rules block the default user agent used by OpenAI SDK clients even when the endpoint itself is valid.

What Jarvis does:

Jarvis sets a neutral User-Agent for OpenAI-compatible outbound calls. If the request is still blocked, inspect the provider-side WAF logs and allow the Jarvis traffic pattern explicitly.

From Windows PowerShell, prefer curl.exe so PowerShell does not alias the command:

Terminal window
curl.exe -sS --ssl-no-revoke `
https://<provider-host>/v1/chat/completions `
-H "Authorization: Bearer <KEY>" `
-H "Content-Type: application/json" `
-d '{"model":"<model-id>","messages":[{"role":"user","content":"hi"}],"max_tokens":5}'

If your network requires an explicit proxy, add the proxy option supplied by your network administrator:

Terminal window
curl.exe -sS --ssl-no-revoke -x http://<proxy-host>:<proxy-port> `
https://<provider-host>/v1/chat/completions `
-H "Authorization: Bearer <KEY>" `
-H "Content-Type: application/json" `
-d '{"model":"<model-id>","messages":[{"role":"user","content":"hi"}],"max_tokens":5}'

PowerShell quoting notes:

  • Use curl.exe, not curl.
  • Keep the JSON body in single quotes, or put it in a file and pass -d @body.json.
  • Do not use backslash-escaped JSON strings such as \" in PowerShell.
Symptom Likely cause First action
CERTIFICATE_VERIFY_FAILED with a self-signed chain Corporate TLS inspection certificate is not trusted by Python Confirm the company root CA is installed in the OS trust store and restart Jarvis.
Timeout or proxy 302 page Proxy blocks bare IPs or non-standard ports Switch to an HTTPS DNS endpoint on port 443.
403 or PermissionDeniedError, but curl succeeds WAF rule blocks SDK-like traffic Check provider-side WAF logs and allow Jarvis requests.
401 or Unauthorized Wrong or expired API key Re-enter the provider key.
Model does not appear or provider rejects it Model ID is not valid for that provider API Create a provider entry with the exact model ID supported by the endpoint.

Installed desktop builds run the packaged backend sidecar. Source changes do not affect an already installed app until a new desktop package is installed or delivered through the updater.