Codeberg/Community
Codeberg/Community
53
265
Fork 11
Code Issues325 Activity

Update CA certificates? #1784

New issue
Open
opened 2025-02-03 15:19:21 +00:00 by MichaelAgarkov · 1 comment
MichaelAgarkov commented 2025-02-03 15:19:21 +00:00

Comment

I'm trying to migrate a repo from my personal Git hosting website, it has a certificate issued by GlobalSign, yet I get the following:
Get "https://michaelagarkov.ru/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority
My guess is that the CA certificates Codeberg uses need to be refreshed?

### Comment I'm trying to migrate a repo from my personal Git hosting website, it has a certificate issued by GlobalSign, yet I get the following: `Get "https://michaelagarkov.ru/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority` My guess is that the CA certificates Codeberg uses need to be refreshed?
image.png
36 KiB
image.png
Gusted commented 2025-02-03 20:21:44 +00:00
Owner

Not so sure what is going on with these certificates but I can only connect to the site with a web browser. e.g. curl on my machines fail to verify the certificate.

I do have reason to believe that the web server that is terminating TLS is not giving any chain certificates, specifically "GlobalSign GCC R3 DV TLS CA 2020" which is in no CA root store as it's an intermediate certificate, browsers do fetch this on the fly but most programs such as Go's TLS stack (and thus by extension forgejo/codeberg) do not and thus cannot verify the certificate chain. I do not think there's anything actionable for Codeberg to do here.

Not so sure what is going on with these certificates but I can only connect to the site with a web browser. e.g. curl on my machines fail to verify the certificate. I do have reason to believe that the web server that is terminating TLS is not giving any chain certificates, specifically "GlobalSign GCC R3 DV TLS CA 2020" which is in no CA root store as it's an intermediate certificate, browsers do fetch this on the fly but most programs such as Go's TLS stack (and thus by extension forgejo/codeberg) do not and thus cannot verify the certificate chain. I do not think there's anything actionable for Codeberg to do here.
Sign in to join this conversation.
No labels
accessibility
bug
bug
infrastructure
Codeberg
contributions welcome
docs
duplicate
enhancement
infrastructure
legal
licence / ToS
please chill
we are volunteers
public relations
question
question
user support
s/Forgejo
s/Pages
s/Weblate
s/Woodpecker
security
service
upstream
wontfix
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Codeberg/Community#1784
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?