Gitea with auto-signed CA


I’m using two gitea instances, running in two distinct k8s environement (they run the official gitea container image 1.11.5 taken from Docker hub)

These 2 k3s envs are both using a sub-CA that come from a self-sign CA. The containers by themselves don’t serve TLS, but TLS is performed by an Apache reverse-proxy running on k3s nodes.

To schematize I have something like:

#                                             /- gitea pod (master)
#                   /- K8S #1 ---------------+
#                  / (with apache/sub-CA #1)
# root CA --------+
# (auto-signed)    \
#                   \- K8S #2 ---------------+
#                     (with apache/sub-CA #2) \- gitea pod (slave)

The “slave” gitea need to clone some projects hosted on the “master” gitea… And I’m facing an issue because Gitea don’t trust the certificate with the auto-signed CA on my k3s node #1.

I tried some live manipulations in my running Gitea “slave” pod to add the root-CA and sub-CA #1 certificates in /etc/ssl/certs and running ‘update-ca-certificates’ command but it have no impact.

I would like to avoid TLS verification, so my question is simple : with a Gitea instance that don’t run in HTTPS mode (eg. no CERT_FILE nor KEY_FILE in Gitea config), how can I get my autosigned CA trusted ?

Thanks for you help :slight_smile:

So my question is simple : how to get Git


For information, I solved my problem by adding my root CA into Alpine’s CA certificates paths. To do that, I had to modify the Dockerfile by adding these steps:

COPY my_root_ca.pem /usr/local/share/ca-certificates/
RUN update-ca-certificates

And Gitea don’t bother me anymore with auto-signed CA certificate.