SSL certificate problem: unable to get local issuer certificate

Drone Support
1

I have gitea running locally and am using nginx as a reverse proxy to serve it over https.

nginx is using a certificate which I obtained from my self signed CA

I’ve mapped this CA certificate to /etc/ssl/certs/ca-certificates.crt in the drone-server

my builds fail at the clone step with

Initialized empty Git repository in /drone/src/.git/
+ git fetch origin +refs/heads/master:
fatal: unable to access 'https://192.168.1.72/giles/q.git/': SSL certificate problem: unable to get local issuer certificate

FWIU this is because whatever is trying to clone the repository doesn’t trust it’s CA so it is rejecting it.

I’ve worked out I can skip this verification with

skip_verify=true

but where do I have to have the CA certificate in order NOT to skip the verification?

It’s added to the drone-server and I’ve tried adding it to the runner but to no avail.

Moreover if I disable the default clone and use a docker container to do the clone it works even though it DOESN’t have the ca certificate.

confused!!!

for example

steps:
- name: clone2
  image: alpine/git
  commands:
  -git clone https://192.168.1.72/giles/q.git .

works

here is my yml for the docker stack I am running

version: "3.7"

services:
  nginx:
    image: nginx:latest
    ports:
      - 443:443
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    networks:
      - appnet
    secrets:
      - registry-cert
      - registry-key
  gitea:
    image: gitea/gitea:latest
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - ROOT_URL=https://192.168.1.72/
      - SSH_DOMAIN=192.168.1.72
    volumes:
      - gitea-app:/data
    ports:
      #- "3000"
      - "22:22"
    networks:
      - appnet

  gitea-db:
    image: postgres:alpine
    ports:
      - 5440:5432
    volumes:
      - gitea-db:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
      - POSTGRES_DB=gitea
    networks:
      - appnet

  drone-server:
    image: drone/drone:latest
    ports:
      - 80:8080
      - 9000
    volumes:
      - drone:/var/lib/drone
      - drone-data:/data
      - ./ca-certificates/sigyl-ca.crt:/etc/ssl/certs/ca-certificates.crt
    depends_on:
      - gitea
    environment:
      - DRONE_LOGS_DEBUG=true
      #- DRONE_LOGS_TEXT=true
      - DRONE_LOGS_PRETTY=true
      #- DRONE_LOGS_COLOR=true
      - DRONE_GITEA_SERVER=https://192.168.1.72
      - DRONE_GITEA_CLIENT_ID=2367e63b-74e5-4dae-9ab8-89b8396e5385
      - DRONE_GITEA_CLIENT_SECRET=4-Dq2rTRJaj3ENulOdaNgonCgTEq65kJtvOLIWX36jU=
      - DRONE_SERVER_HOST=192.168.1.72 # tunnel hostname       
      - DRONE_ADMIN=giles
      - DRONE_SERVER_PROTO=http # tunnel adds https on top
      - DRONE_SERVER_PORT=:8080
      - DRONE_RPC_SECRET=e67c92e92ca32511e0e36dd58ca1bcc3
      - DRONE_USER_CREATE=username:giles,admin:true
      - DRONE_AGENTS_ENABLED=true
    networks:
      - appnet

  drone-agent:
    image: drone/agent:latest
    command: agent
    depends_on:
      - drone-server
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./certificates:/certificates
      #- ./ca-certificates/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
    environment:
      - DRONE_RPC_SERVER=http://drone-server:8080
      - DRONE_RPC_SECRET=e67c92e92ca32511e0e36dd58ca1bcc3
      - DRONE_RUNNER_CAPACITY=8
      - DRONE_RUNNER_NAME="local"
    
  docker-runner:
    image: drone/drone-runner-docker:1
    depends_on:
      - drone-server
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./certificates:/certificates
      #- ./ca-certificates/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
    environment:
      - DRONE_RPC_PROTO=http
      - DRONE_RPC_HOST=192.168.1.72
      - DRONE_RPC_SECRET=e67c92e92ca32511e0e36dd58ca1bcc3
      - DRONE_RUNNER_CAPACITY=8
      - DRONE_RUNNER_NAME="docker-runner"
    #ports:
    #  - 3001:3000
  registry:
    image: registry:2
    ports:
      - 5000:5000
    volumes:
      - ./certificates:/certs
    environment:
      - REGISTRY_HTTP_ADDR=0.0.0.0:5000
      - REGISTRY_HTTP_TLS_CERTIFICATE="/certs/sigyl-registry.crt"
      - REGISTRY_HTTP_TLS_KEY=/certs/sigyl-registry.key
    networks:
      - appnet

volumes:
  gitea-app:
  gitea-db:
  drone:
  drone-data:

networks:
  appnet:
    driver: overlay
    #external: true

secrets:
  'registry-cert':
    file: .secrets/sigyl-registry.crt
  'registry-key':
    file: .secrets/sigyl-registry.key

and here is example .drone.yml


kind: pipeline
type: docker
name: default

clone:
  skip_verify: true

steps:
- name: build
  image: giles:dind
  volumes:
  - name: dockersock
    path: /var/run
  commands:
  - sleep 5
  - docker pull hello-world:latest
  - docker tag hello-world:latest 192.168.1.72:5000/hello-world:latest
  - docker push 192.168.1.72:5000/hello-world:latest
services:
- name: docker
  image: giles:dind
  privileged: true
  volumes:
  - name: dockersock
    path: /var/run
 
volumes:
- name: dockersock
  temp: {}