Load a self-signed certificate OR webcam.snapshotSslValidation equivalent in v1.9.0?

I'm trying to set a webcam with OctoPrint 1.9.0. I've noticed that there are a few major changes with regards to the webcam and it might possibly be that not all documentation/SO questions are up to date..

I have Octoprint as a part of my docker-compose setup. It's exposing both 8080 and 5000 and nginx is configured to allow https access on "/octoprint". This all works fine. I can even see a stream if I go to "https://server.local/octoprint/webcam/?action=snapshot" (also works for "action=stream").
However, when I try to use the same FQDN URL and set it in the "Classical Webcam -> Snapshot URL", I get an error which in the logs I see happens because it can't verify the SSL certificate (self signed).

I tried 2 possible options:

  1. The better one - I've copied my csr to /usr/local/share/ca-certificates, but then figured out that I must run "update-ca-certificates" in order for it to pick up the new one. When I do it in "docker exec" inside the container, I get "wget" to load the page successfully, but the octoprint server will still return the same error. I assume it (or the Python package?) pre-cached the certificates on startup?
    I run octoprint as a docker image inside a docker-compose setup. Couldn't find a way to run a "startup script". If there 's a way to run "update-ca-certificates" on startup, I believe that's the best way.

  2. Another option which I can live with is to disable the certificate validation. However, in the GUI, there's a checkbox in "Webcam and Timelapse" that maps to "webcam.snapshotSslValidation" (even got to the commit where it was added: Timelapse: Add snapshot imeout & SSL validation settings · OctoPrint/OctoPrint@3fcd5ad · GitHub). I can't set it to False as I get this message: "octoprint.server.api.settings - WARNING - Setting webcam.snapshotSslValidation via the API is no longer supported, please use the individual settings of the default webcam instead."
    I understand those setting should now reside in the plugins, but it doesn't seem that the "Classical Webcam" plugin has such an option.. Did we lose this feature in upgrading?

Thanks!
Zach

Since the webcam sounds like it is running in the same container (this is the default setup) then you should be able to have the snapshot URL as http://localhost:8080/?action=snapshot, skipping the proxy & https things.

Regarding the option to disable validation, it has the option in the backend of the classic webcam plugin, but I can't see it in the UI, you're right it seems to be in the wrong place (maybe you could open an issue in the OctoPrint repo for that?)

You could set it in the config.yaml under the plugin:

plugins:
  classicwebcam:
    snapshotSslValidation: false

Configuring the self-signed cert in the container is something I don't know much about to help there.

Thanks! I tried setting the config as you mentioned. It indeed doesn't throw the same error anymore, but I now get a weird behavior:
The GUI won't show an image, and would still say "there is an error". The logs (of both octoprint and nginx) don't show any errors. I do see a warning though because of the disabled check:

octoprint | 2023-06-10 14:51:56,679 - py.warnings - WARNING - /usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'server.local'. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 1.26.16 documentation
octoprint | warnings.warn(
octoprint |
reverse_proxy | 172.18.0.1 - - [10/Jun/2023:14:51:56 +0000] "GET /octoprint/webcam/?action=snapshot HTTP/1.1" 200 3609 "-" "python-requests/2.31.0"
reverse_proxy | 192.168.1.104 - - [10/Jun/2023:14:51:56 +0000] "POST /octoprint/api/util/test HTTP/1.1" 200 182 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"

As far as I can tell, the internal request to "/webcam/?action=snpashot" was successful...

As for your first suggestion, my nginx is forwarding all HTTP to HTTPS. I'm pretty sure I can exclude a specific location, but I'm not an nginx expert.. I'll look into it and try to exclude the "/webcam" URLs.

Also, I'll wait to see if there's any way to just add my certificate and have it validated without any hack.

Thanks!

The URL I put would be keeping it internal to the container - so it doesn't go through nginx at all. The recommended URLs are here.

OK, now I got you. It's working now with "http://localhost:8080/?action=snapshot" as the URL.