-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FYI: gitea certificate should be signed by a CA authority <-> backstage #127
Comments
I tested different scenario without success except using by example a valid domain and godaddy: Otherwise, when I use locally gitea + the following tools to generate the certificate, that failed as backstage reported errors. See hereafter: minica or mkcert tools DO NOT WORK as backstage when creating the git repo returns: openssl DO NOT WORK too as we got also: If we try to add the CA root + localhost crt to a chain crt file, then we got another error: That could work using certbot if you have a domain !
Can you help me ? @nabuskey |
@cmoulliard when you tried the following
what commands did you use? I assume you were attempting to add the certs into the bundle used by the backstage container correct? |
I was simply concaiting the different pem into one called: fullchain (cat file1 file2 > fullchain.pem) |
I'm not using here a backstage container/pod but running backstage using simply (yarn dev, etc) |
I found a trick using such env var
then I can launch the gitea server where ssl is enabled using
The openssl crt file looks like this one
Then backstage do not complain and can create a git repository :-) |
I would recommend against using the |
Can we use NODE_EXTRA_CA_CERTS and point it to your fullchain.pem? https://nodejs.org/api/cli.html#node_extra_ca_certsfile |
Alternatively, we could use the |
This option is working :-) @jessesanford |
I don t think that we should use such an option as we will run gitea as kubernetes's pod. A better approach will be to use the Cert Manager able to generate a selfsigned certificate https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers (CA crt can be used from a secret) and distribute the bundle using: https://cert-manager.io/docs/trust/trust-manager/ Note: I developed a project for java applications and cert manager + pkcs12 - https://github.com/snowdrop/pki?tab=readme-ov-file#create-a-pkcs12-using-cert-manager |
For local usage of the gitea server (= when running standalone and not as k8s's pod), we can create the certificate using simply the gitea client command =>
To control everything like key size, algorithm, Subject, CN, AltNames, etc, then using openssl do the job too ;-)
|
FYI
The gitea certificate used by idpbuilder should be signed by a CA authority (let's encrypt, etc) otherwise backstage won't accept to create a project on gitea repository
The text was updated successfully, but these errors were encountered: