How do I configure SSL certificates for LangSmith Playground with custom model providers?

Last updated: April 16, 2026

Context

When using LangSmith's self-hosted deployment with custom model providers that use internal SSL certificates, the Playground service may encounter SSL verification errors. This typically manifests as certificate verification failures when the Playground tries to connect to your custom model provider endpoints. The error occurs because the Playground container doesn't trust the internal Certificate Authority (CA) that signed your SSL certificates.

Answer

To resolve SSL certificate issues with LangSmith Playground, you need to mount your CA certificate bundle to the playground service and configure the appropriate environment variables.

Step 1: Prepare your CA certificate bundle

Ensure you have a proper PEM file containing your Certificate Authority certificates. This should be a trust store file in PEM format containing one or more public certificates of trusted CAs.

Step 2: Create a Kubernetes secret

Create a secret containing your CA certificate bundle:

kubectl create secret generic langsmith-tls --from-file=ca-bundle.pem=your-ca-bundle.pem -n langsmith

Step 3: Configure your Helm values

Add the following configuration to your values.yaml file:

playground:
  deployment:
    volumes:
      - name: ca-bundle
        secret:
          secretName: langsmith-tls
    volumeMounts:
      - name: ca-bundle
        mountPath: /etc/ssl/certs/ca-bundle.pem
        readOnly: true
    extraEnv:
      - name: LANGSMITH_PLAYGROUND_TLS_MODEL_PROVIDERS
        value: "openai,custom"
      - name: LANGSMITH_PLAYGROUND_TLS_CA
        value: "/etc/ssl/certs/ca-bundle.pem"

Step 4: Apply the configuration

Update your LangSmith deployment:

helm upgrade langsmith langchain/langsmith -n langsmith --values values.yaml

Step 5: Verify the configuration

Test the SSL connection from within the playground container:

kubectl exec langsmith-playground-pod -it -- /bin/bash
openssl s_client -connect your-model-provider.com:443 -CAfile /etc/ssl/certs/ca-bundle.pem

The connection should succeed without certificate verification errors.

Additional Notes:

  • Make sure your model configuration uses the correct internal base URL and model names

  • The CA certificate file must be in PEM format and contain the complete certificate chain

  • Restart the playground pods after applying the configuration changes

For more detailed information about custom TLS certificates, refer to the LangSmith documentation.