Gitea authentication with custom certificate authority

[CrashSensei]

Description

Problem

The Gitea authentication process does not correctly use the operating system certificate authority collection.

I have a custom CA and mounted my full certificate authority chain to /etc/ssl/certs/ca-certificates.crt.
However, when I attempted to setup OAuth2 I received the error:

Caution

tls: failed to verify certificate: x509: certificate signed by unknown authority

I verified that the container OS ca-certs were working correctly by using curl inside the container:

podman exec -it --user git gitea-app curl https://keycloak.fake.com/realms/main/.well-known/openid-configuration

I found a previous issue referencing this same problem:
#29420 (comment)

Referencing their workaround, I mounted my root and sub ca certs separately under the /etc/ssl/certs directory.
Gitea now correctly verified the custom certificate. However, the container OS no longer recognized the custom ca (curl fails).

I have verified that the same issue exists for LDAP authentication.

Solution

Gitea should use the standard OS CA collection instead of scanning the CA directory. For Alpine Linux that is /etc/ssl/ca-certificates.crt or /etc/ssl/cert.pem (a symlink to the former).

Gitea Version

1.22.4

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Docker container docker.io/gitea/gitea:1.22.3

How are you running Gitea?

Launching docker container via systemd using podman

Database

None