"unable to get local issuer certificate" cloning from gitea, on unix:// socket, behind SSL terminating Nginx proxy?

i’ve nginx

/usr/local/nginx/sbin/nginx -v
	nginx version: nginx/1.21.4 (local build)

as reverse proxy in front of

gitea -v
	Gitea version 1.15.8 built with GNU Make 4.1, go1.16.12 : bindata, sqlite, sqlite_unlock_notify

gitea listens on a unix: socket,

ROOT = /data/gitea/repos

PROTOCOL         = unix
HTTP_ADDR        = /run/gitea/gitea.sock
ROOT_URL         = https://gitea.example.com/
DISABLE_SSH      = true
SSH_PORT         = 22
LFS_CONTENT_PATH = /data/gitea/lfs
OFFLINE_MODE     = true

nginx is config’d as an SSL terminator, lintening only on :443,

upstream GITEAproxy  { server unix:/run/gitea/gitea.sock; }
server {
	listen ssl http2;
	server_name gitea.example.com ;

	ssl_client_certificate "/svr/etc/ssl/my_CA.CHAIN.crt.pem";
	ssl_verify_client  on;
	ssl_verify_depth 2;
	ssl_certificate        "/svr/etc/ssl/gitea.example.com.server.EC.crt.pem";
	ssl_certificate_key    "/svr/etc/ssl/gitea.example.com.server.EC.key.pem";

	location / {proxy_pass http://GITEAproxy;}

passing un-encrypted http:// traffic to the backend

NO issues accessing the WebUI in browser.

Logged-in as “myAdmin”, I create a repo, ‘test’

@ nav to,

https ://gitea.example.com/myAdmin/test

I see:

Quick Guide
Clone this repository Need help cloning? Visit Help.
[HTTPS] https://gitea.example.com/myAdmin/test.git

so, at my shell,

git clone https://gitea.example.com/myAdmin/test.git
	Cloning into 'test'...
	fatal: unable to access 'https://gitea.example.com/myAdmin/test.git/': SSL certificate problem: unable to get local issuer certificate

Iiuc, that’s gitea complaining about the cert.

In my config, gitea should be seeing only unencrypted traffic. Running the app server on a socket listener, I’m fine with a non-SSL gitea backend.

I’ve miconfigured something.

Is a different ROOT_URL needed? Or other/add’l config?


even though my own-CA ROOT ssl cert had been added to my system cert store,
I needed to explicitly provide my intermediate cert to git for client usage with the nginx-proxied gitea server


cat /etc/gitconfig
	    helper = store --file /srv/etc/sec/.git-credentials
	[http "https://gitea.example.com"]
	        sslVerify = true
	        sslCertPasswordProtected = false
+++	        sslCAInfo = /srv/etc/sec/my_CA.CHAIN.crt.pem
	        sslCert   = /srv/etc/sec/dev.example.com.client.EC.crt.pem
	        sslKey    = /srv/etc/sec/dev.example.com.client.EC.key.pem

does the trick; checkout now works as expected.

1 Like