We are self-hosting gitea with a (not self signed) x509 certificate for https encryption.
The website works fine in a webbrowser, without needing to install a certificate or CA. The root of the CA tree is included in Linux /etc/ssl/certs/ca-certificates.crt.
However, when trying to run ‘git clone https://’, it fails with ‘fatal: unable to access : server certificate verification failed. CAfile: none CRLfile: none’
After some research, this is apparently due to the fact that we are only serving the certificate, not the chain including intermediaries. This is verified by testing with e.g. ‘https://whatsmychaincert.com’. However, if I replace the cert.pem in the gitea configuration with ‘chain.pem’, gitea fails to start webserver, with the message ‘tls: private key does not match public key’. I’ve verified that the certificate itself, at the end of chain.pem, is exactly the same as the contents of ‘cert.pem’.
How do I get gitea to properly serve the full certificate chain (without root certificate)? It seems that this is needed for better browser support, and ‘git clone’ from the command line.