search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
43.88k stars 5.38k forks source link

Mirrored repositories fail when /etc/ssl/certs forwarded from host #31227

Open joshqou opened 2 months ago

joshqou commented 2 months ago

Description

I have a gitea repo setup with a git+https push-mirror enabled. Trying to update the remote repo results in an error with the tooltip text: push failed: fatal: unable to access 'https://git.example.com/user/repo/': error setting certificate file: /etc/ssl/certs/ca-certificates.crt

I had the system /etc/ssl/certs forwarded from the host as read-only since I have my own certificate authority, gitea only tries to use /etc/ssl/certs/ca-certificates.crt and fails if it does not exist. I've also tried binding /etc/ssl and /etc/pki but gitea doesn't seem to look for any other valid cert chains.

Gitea Version

1.22.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

n/a

Operating System

Fedora Server 39

How are you running Gitea?

latest-rootless with podman

Database

MySQL/MariaDB

silverwind commented 2 months ago

This cert reading is all golang crypto behaviour, and I'm not sure whether we can change it:

https://go.dev/src/crypto/x509/root_linux.go

If crypto has functionality to change the cert paths, it could of course be optionally exposed in the config.