Enable HTTPS for AYON Launcher (SSL Certificate Trust)

Enable HTTPS for AYON Launcher (SSL Certificate Trust)

Problem

When running your AYON server over HTTPS with a custom or self-signed certificate, the AYON Launcher may fail to connect and show SSL verification errors.

This does not affect only one addon. It affects all AYON Launcher communication over HTTPS, including:

• Login and server connection
• Loading addons and bundles
• Publishing and version management
• Review addon and media playback
• Any other communication from the Launcher to the AYON server

The reason is that AYON Launcher uses its own bundled Python certificate store (certifi) and does not automatically trust your custom server certificate.

Prerequisites

Before starting, make sure you have the following ready:

• AYON Launcher installed on the client machine
• Access to the AYON server to export the certificate
• The certificate already created and configured on the server/domain
• Administrator access on the client machine (Windows)

Step 1 — Create or Export the Certificate From the Server

On your AYON server, create or export the SSL certificate being used for HTTPS.

This should be:

• The root CA certificate, or
• The self-signed certificate, or
• The full certificate chain needed for trust

Export it as a .pem or .crt file. It should look like this:

-----BEGIN CERTIFICATE-----
MIIBxTCCA...
-----END CERTIFICATE-----

Important: The certificate must also be correctly installed and pushed to your domain so that browsers and clients recognize the HTTPS connection as valid. If the server is not correctly presenting the certificate, clients will still fail even after the steps below.

Step 2 — Find the AYON Launcher’s Certificate Bundle

AYON Launcher bundles its own certificate trust file inside its installation folder. You need to locate it.

The path pattern is:

C:\Program Files\Ynput\AYON <version>\dependencies\certifi\cacert.pem

Example for version 1.4.3:

C:\Program Files\Ynput\AYON 1.4.3\dependencies\certifi\cacert.pem

Note: Every AYON Launcher version has its own separate cacert.pem. If you install a newer version later, you will need to patch that version’s file as well. The automation script in Step 4 handles this automatically.

Step 3 — Append the Certificate to cacert.pem

Open the cacert.pem file using a text editor as Administrator.

Scroll to the very bottom of the file and append your certificate there.

Do not delete or replace any existing content. Only add your certificate at the end.

It should look like this at the bottom of the file:

# My Studio AYON Server Certificate
-----BEGIN CERTIFICATE-----
<your certificate content here>
-----END CERTIFICATE-----

Save and close the file.

Step 4 — Automate It for All Installed Launcher Versions (Recommended)

Because every AYON Launcher version creates a new folder with its own cacert.pem, it is better to automate the patching process.

The PowerShell script below:

1. Connects to your AYON server over the network
2. Fetches the SSL certificate directly from it
3. Scans all installed AYON Launcher versions automatically
4. Appends the certificate to each cacert.pem if not already present

# AYON SSL Certificate Patcher
# Run as Administrator

$serverIP   = "YOUR.SERVER.IP"
$serverPort = 443

# Add or remove versions as needed
$ayonVersions = @(
    "C:\Program Files\Ynput\AYON 1.4.0",
    "C:\Program Files\Ynput\AYON 1.4.3",
    "C:\Program Files\Ynput\AYON 1.5.2"
)

Write-Host "Fetching certificate from $serverIP`:$serverPort..." -ForegroundColor Cyan

try {
    $tcp  = New-Object System.Net.Sockets.TcpClient($serverIP, $serverPort)
    $ssl  = New-Object System.Net.Security.SslStream($tcp.GetStream(), $false, { $true })
    $ssl.AuthenticateAsClient($serverIP)
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($ssl.RemoteCertificate)
    $ssl.Close()
    $tcp.Close()

    $certBase64 = [Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
    $pemBlock   = "`r`n-----BEGIN CERTIFICATE-----`r`n$certBase64`r`n-----END CERTIFICATE-----"

    Write-Host "Certificate fetched: $($cert.Subject)" -ForegroundColor Green
} catch {
    Write-Host "Failed to fetch certificate: $_" -ForegroundColor Red
    exit
}

foreach ($version in $ayonVersions) {
    if (Test-Path $version) {
        Write-Host "`nFound: $version" -ForegroundColor Yellow

        $files = Get-ChildItem $version -Recurse -Filter "cacert.pem"

        if ($files) {
            foreach ($file in $files) {
                $content = Get-Content $file.FullName -Raw

                if ($content -like "*$certBase64*") {
                    Write-Host "  Already patched: $($file.FullName)" -ForegroundColor Gray
                } else {
                    Add-Content -Path $file.FullName -Value $pemBlock
                    Write-Host "  Patched: $($file.FullName)" -ForegroundColor Green
                }
            }
        } else {
            Write-Host "  No cacert.pem found inside." -ForegroundColor Red
        }
    } else {
        Write-Host "`nNot installed, skipping: $version" -ForegroundColor Gray
    }
}

Write-Host "`nDone! Please restart AYON Launcher." -ForegroundColor Cyan

Replace YOUR.SERVER.IP with your actual AYON server IP address.
Run the script as Administrator.
Re-run it whenever you install a new AYON Launcher version.

Step 5 — Restart and Verify

After patching:

1. Fully close the AYON Launcher
2. Reopen it
3. Connect using your HTTPS server URL — for example: https://ayon.mystudio.local

The launcher should now connect without SSL errors.

Troubleshooting

Still getting SSL errors after patching

• Make sure you are patching the exact launcher version you are running
• Check that the correct launcher version folder exists under C:\Program Files\Ynput\
• Confirm the certificate was actually appended at the bottom of cacert.pem — not inside it or replacing content

Domain mismatch

The domain or IP in the certificate must match the URL you use in AYON Launcher exactly.

Example:

• Certificate issued for: ayon.mystudio.local
• Launcher URL must be: https://ayon.mystudio.local

If these do not match, SSL validation will fail regardless of the patching.

Certificate expired or renewed

If the server certificate is renewed or changed, you will need to re-run the script or manually re-append the new certificate to cacert.pem.

New AYON Launcher version installed

Every new launcher version gets a fresh cacert.pem. Re-run the script after any launcher update.

Server-side HTTPS not correctly configured

Even if the client trusts the certificate, the server must present a valid HTTPS configuration. Confirm your AYON server is correctly set up with HTTPS (e.g., via nginx reverse proxy or similar).

Why This Works

AYON Launcher is a Python-based desktop application. It uses the certifi package to verify SSL connections, which ships its own bundled list of trusted certificate authorities in cacert.pem.

By appending your server’s certificate to that file, you are explicitly telling Python’s SSL layer to trust your server, allowing all HTTPS connections from the launcher to succeed.

Notes

• Use the CA/root certificate if possible — not only the leaf/server certificate
• The certificate must match the domain or IP you connect to
• This fix applies to all AYON Launcher connections over HTTPS, not just specific addons
• Re-run the script after any AYON Launcher update

Hello, have you tried to set AYON_CA_FILE and AYON_CERT_FILE instead of this?

Thank you for sharing this guide. It’s great to know how different people around the community deal this setup.

I can see your solution in essence follows the solution mentioned in AYON - HTTPS Connection not functioning from Ayon Launcher and added an automation layer on top of it.

Also, as @iLLiCiT mentioned I wonder if these environment variables are useful for you.

• AYON_CA_FILE
• AYON_CERT_FILE
• or the general one SSL_CERT_FILE

i tried that and didn’t work, did’t accept my cert

yeah i didn’t see in the search about that one, maybe i missed it out, should i remove mine ? or keep it just in case

Every collaboration counts. Thank you for taking time and putting your post.

Hi everyone,

I would like to clarify that in my previous post, I mentioned modifying the cacert.pem file from the certifi package by appending my local certificate to the end of it, but saving it as a separate file.

I then deployed this file across our entire company network in a directory independent of the Ayon launcher folders. After that, I referenced this new combined file using the REQUEST_CA_BUNDLE_ environment variable.

By doing it this way, I ensure that even if the Ayon launcher versions are updated, the file remains intact and HTTPS continues to work. The only limitation I can foresee is that if the original certificates in the certifi package’s cacert.pem are updated alongside the launcher, those updates won’t be reflected in my file, since it remains static and is not updated regularly.