chichur commented on issue #55147: URL: https://github.com/apache/airflow/issues/55147#issuecomment-3476470118
Hi everyone, I recently upgraded Airflow and encountered a tricky issue when running it behind an HTTPS reverse proxy (e.g., `https://my-org/airflow/`). **Problem:** Airflow workers communicate with the Airflow API using the configured base_url. In my setup, this is set to: `https://my-org/airflow/execution` Because this endpoint uses a custom/internal TLS certificate, the worker’s HTTP client (httpx) fails with an SSL certificate verification error. I first tried setting the `AIRFLOW__API__SSL_CERT` environment variable globally — including for the webserver/API container. This caused the API server itself to crash on startup, again with no meaningful error, just child process died. **Correct solution:** 1. Obtain your reverse proxy’s public certificate (e.g., my-org.crt). 2. Mount it into the airflow-worker container only. 3. Set the following environment variable exclusively for the worker: `AIRFLOW__API__SSL_CERT=/path/to/my-org.crt` Do not apply this variable to the webserver or scheduler containers. This allows the worker to successfully verify the TLS certificate when calling the external API endpoint (`https://my-org/airflow/execution`), while keeping the API server unaffected. Hope this helps others avoid the same headache! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
