"unable to get local issuer certificate" cloning from gitea, on unix:// socket, behind SSL terminating Nginx proxy?

pgnd · December 31, 2021, 10:28pm

i’ve nginx

/usr/local/nginx/sbin/nginx -v
	nginx version: nginx/1.21.4 (local build)

as reverse proxy in front of

gitea -v
	Gitea version 1.15.8 built with GNU Make 4.1, go1.16.12 : bindata, sqlite, sqlite_unlock_notify

gitea listens on a unix: socket,

...
[repository]
ROOT = /data/gitea/repos

[server]
PROTOCOL         = unix
HTTP_ADDR        = /run/gitea/gitea.sock
UNIX_SOCKET_PERMISSION = 666
ROOT_URL         = https://gitea.example.com/
DISABLE_HTTP_GIT = false
DISABLE_SSH      = true
SSH_PORT         = 22
SSH_EXPOSE_ANONYMOUS = false
LFS_START_SERVER = true
LFS_CONTENT_PATH = /data/gitea/lfs
LFS_JWT_SECRET   = g...
OFFLINE_MODE     = true
...

nginx is config’d as an SSL terminator, lintening only on :443,

upstream GITEAproxy  { server unix:/run/gitea/gitea.sock; }
server {
	listen 192.168.1.10:443 ssl http2;
	server_name gitea.example.com ;

	ssl_client_certificate "/svr/etc/ssl/my_CA.CHAIN.crt.pem";
	ssl_verify_client  on;
	ssl_verify_depth 2;
	ssl_certificate        "/svr/etc/ssl/gitea.example.com.server.EC.crt.pem";
	ssl_certificate_key    "/svr/etc/ssl/gitea.example.com.server.EC.key.pem";

	location / {proxy_pass http://GITEAproxy;}
	...
}

passing un-encrypted http:// traffic to the backend

NO issues accessing the WebUI in browser.

Logged-in as “myAdmin”, I create a repo, ‘test’

@ nav to,

https ://gitea.example.com/myAdmin/test

I see:

Quick Guide
Clone this repository Need help cloning? Visit Help.
[HTTPS] https://gitea.example.com/myAdmin/test.git

so, at my shell,

git clone https://gitea.example.com/myAdmin/test.git
	Cloning into 'test'...
	fatal: unable to access 'https://gitea.example.com/myAdmin/test.git/': SSL certificate problem: unable to get local issuer certificate

Iiuc, that’s gitea complaining about the cert.

In my config, gitea should be seeing only unencrypted traffic. Running the app server on a socket listener, I’m fine with a non-SSL gitea backend.

I’ve miconfigured something.

Is a different ROOT_URL needed? Or other/add’l config?

pgnd · January 1, 2022, 11:57pm

[SOLVED]

even though my own-CA ROOT ssl cert had been added to my system cert store,
I needed to explicitly provide my intermediate cert to git for client usage with the nginx-proxied gitea server

i.e.,

cat /etc/gitconfig
	...
	[credential]
	    helper = store --file /srv/etc/sec/.git-credentials
	[http "https://gitea.example.com"]
	        sslVerify = true
	        sslCertPasswordProtected = false
+++	        sslCAInfo = /srv/etc/sec/my_CA.CHAIN.crt.pem
	        sslCert   = /srv/etc/sec/dev.example.com.client.EC.crt.pem
	        sslKey    = /srv/etc/sec/dev.example.com.client.EC.key.pem
	...

does the trick; checkout now works as expected.

Topic		Replies	Views
[SOLVED] Clone over https fails certificate verification Install/Maintain/Configure	5	15553	July 4, 2018
Error When Cloning via HTTPS Install/Maintain/Configure	2	13004	December 27, 2017
Fatal: unable to access: SSL certificate problem: unable to get local issuer certificate Install/Maintain/Configure	1	3397	September 5, 2019
How to properly secure Gitea with Let's Encrypt SSL cert? Install/Maintain/Configure	2	1220	November 3, 2023
Apache Proxy Error (502) General	0	3490	April 28, 2019

"unable to get local issuer certificate" cloning from gitea, on unix:// socket, behind SSL terminating Nginx proxy?

Related Topics