Deploy Open WebUI on AlmaLinux 10 with Docker and ZeroSSL

Open WebUI gives you a polished self-hosted interface for local and remote AI backends, with chat history, model selection, model management, and a modern browser UI that is much easier to expose safely than a raw API endpoint. It is a strong fit when you want your own AI web interface on infrastructure you control.

In this guide, we restore a fresh AlmaLinux 10.1 server on Shape.Host, verify the latest stable Open WebUI release from the official project, install Docker Engine and Docker Compose from Docker’s official EL repository, deploy Open WebUI v0.8.10, place Nginx in front of it on tutorials.shape.host, secure the site with a trusted ZeroSSL certificate, and validate the finished installation from both the terminal and a browser.

Why Use Open WebUI on AlmaLinux 10?

• AlmaLinux 10.1 gives you a current enterprise Linux base for containerized AI tooling.
• Open WebUI has an official Docker-based deployment path that is easy to reproduce on a clean server.
• Nginx lets you keep the application on localhost while exposing a clean public HTTPS endpoint.
• ZeroSSL gives you a trusted certificate for the web interface on your own hostname.

Before You Begin

Make sure you have the following in place before you start:

• A fresh AlmaLinux 10 server
• Root or sudo access
• A DNS record pointing tutorials.shape.host to your server IP
• Ports 80 and 443 open to the public internet
• Your ZeroSSL EAB key ID and EAB HMAC key for ACME account registration

1. Verify the AlmaLinux 10 Release

Start by confirming that the rebuilt server is actually running AlmaLinux 10.1.

cat /etc/os-release

2. Install Docker, Docker Compose, Nginx, and Base Dependencies

Open WebUI’s official quick-start path uses containers, so the clean AlmaLinux route is to install Docker Engine from Docker’s official EL repository instead of relying on older distro-packaged container builds.

dnf -y install ca-certificates curl git nginx openssl socat firewalld dnf-plugins-core policycoreutils-python-utils
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

systemctl enable --now docker nginx firewalld
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

docker --version
docker compose version
nginx -v
git --version
firewall-cmd --state

On the validated AlmaLinux 10.1 deployment, this installed Docker Engine 29.3.0, Docker Compose 5.1.0, Nginx 1.26.3, and Git 2.47.3, with firewalld running normally.

3. Create the Open WebUI Docker Compose Configuration

The official quick-start page often shows the rolling main image in examples, but for a stable production-style deployment it is better to pin the current release tag. For a reverse-proxied setup, set CORS_ALLOW_ORIGIN to your final HTTPS URL.

mkdir -p /opt/open-webui
cd /opt/open-webui

cat > compose.yaml <<'EOF'
services:
  openwebui:
    image: ghcr.io/open-webui/open-webui:v0.8.10
    container_name: open-webui
    restart: unless-stopped
    ports:
      - 127.0.0.1:3000:8080
    environment:
      - CORS_ALLOW_ORIGIN=https://tutorials.shape.host
    volumes:
      - open-webui:/app/backend/data
volumes:
  open-webui:
EOF

grep '^    image:' compose.yaml
grep '^      - CORS_ALLOW_ORIGIN=' compose.yaml
cat compose.yaml
docker compose config --services

The localhost-only port mapping keeps Open WebUI off the public interface so Nginx can proxy it securely, while CORS_ALLOW_ORIGIN matches the final browser origin used by the reverse proxy.

4. Start Open WebUI

With the compose file in place, start the container and confirm that the application answers locally before you expose it through Nginx.

4.1 Launch the Container

cd /opt/open-webui
docker compose up -d
sleep 30

On the live server, Docker pulled the official Open WebUI image, created the local data volume, and started the container successfully.

4.2 Validate the Running Container and Local HTTP Response

docker compose ps
docker compose images
curl -I http://127.0.0.1:3000

On the validated deployment, the container came up healthy on image tag v0.8.10 and the local endpoint returned HTTP/1.1 200 OK.

5. Configure Nginx and Issue a ZeroSSL Certificate

Create the initial HTTP site first so ZeroSSL can complete ACME webroot validation. Then switch the site to a permanent HTTPS redirect and a TLS-enabled proxy block with the WebSocket-friendly headers Open WebUI expects.

mkdir -p /var/www/_letsencrypt /etc/nginx/ssl/tutorials.shape.host

cat > /etc/nginx/conf.d/tutorials.shape.host.conf <<'EOF'
server {
    listen 80;
    server_name tutorials.shape.host;

    location /.well-known/acme-challenge/ {
        root /var/www/_letsencrypt;
        default_type "text/plain";
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        proxy_read_timeout 86400;
    }
}
EOF

nginx -t
systemctl reload nginx

curl -fsSL https://get.acme.sh | sh -s email=contact@shape.host
/root/.acme.sh/acme.sh --set-default-ca --server zerossl
/root/.acme.sh/acme.sh --register-account --server zerossl --eab-kid YOUR_ZEROSSL_EAB_KID --eab-hmac-key YOUR_ZEROSSL_EAB_HMAC_KEY
/root/.acme.sh/acme.sh --issue --server zerossl --webroot /var/www/_letsencrypt -d tutorials.shape.host --keylength ec-256
/root/.acme.sh/acme.sh --install-cert -d tutorials.shape.host --ecc \
  --fullchain-file /etc/nginx/ssl/tutorials.shape.host/fullchain.cer \
  --key-file /etc/nginx/ssl/tutorials.shape.host/tutorials.shape.host.key \
  --reloadcmd "systemctl reload nginx"

if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce)" != "Disabled" ]; then
  setsebool -P httpd_can_network_connect 1
fi

cat > /etc/nginx/conf.d/tutorials.shape.host.conf <<'EOF'
server {
    listen 80;
    server_name tutorials.shape.host;

    location /.well-known/acme-challenge/ {
        root /var/www/_letsencrypt;
        default_type "text/plain";
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    http2 on;
    server_name tutorials.shape.host;

    ssl_certificate /etc/nginx/ssl/tutorials.shape.host/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/tutorials.shape.host/tutorials.shape.host.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        proxy_read_timeout 86400;
    }
}
EOF

nginx -t
systemctl reload nginx

On the validated AlmaLinux 10.1 server, ZeroSSL issued a trusted ECC certificate successfully and Nginx accepted the EL-style TLS syntax of listen 443 ssl; plus http2 on;. On this specific template, SELinux was disabled, so the conditional setsebool block was skipped automatically.

6. Validate the Public HTTPS Deployment

Finish by checking the running container, firewall state, SELinux status, public HTTPS response, and certificate issuer. In the example below, replace 51.89.69.216 with your own public server IP if you are reproducing this on a different machine.

cd /opt/open-webui
docker compose ps
docker compose images
firewall-cmd --list-services
sestatus
getsebool httpd_can_network_connect || true
nginx -v

curl -I --resolve tutorials.shape.host:443:51.89.69.216 https://tutorials.shape.host
openssl s_client -connect 51.89.69.216:443 -servername tutorials.shape.host < /dev/null 2>/dev/null | openssl x509 -noout -issuer -subject

On the live deployment, the application stayed healthy, the public site returned HTTP/2 200, and the certificate chain resolved to ZeroSSL ECC Domain Secure Site CA.

7. Open the Web Interface in Your Browser

Once HTTPS is in place, open https://tutorials.shape.host in a browser. On the first visit, Open WebUI will load its welcome screen and you can continue with the initial admin account setup from the web interface.

Conclusion

You now have Open WebUI running on AlmaLinux 10 with Docker Compose, Nginx, and a trusted ZeroSSL certificate on tutorials.shape.host. The live test for this guide confirmed Open WebUI v0.8.10, Docker Engine 29.3.0, Docker Compose 5.1.0, and Nginx 1.26.3 on a restored Shape.Host AlmaLinux 10.1 server.

From here, you can sign in through the browser, create the first admin account, and connect Open WebUI to the model backends you plan to use.

Christian Wells