make gitea healthcheck work when configured for https

Paraphraser · Paraphraser · commit 4d3405d0c9c3 · 2025-04-30T16:53:02.000+10:00
When HTTPS was enabled, the healthcheck script failed for a number of
reasons, not the least of which were `curl` needing to be provided with
the path to the container's self-signed certificate and problems
associated with using "localhost" rather than the container name.

In theory, `gitea cert` will generate for `--host gitea,localhost` and
those do turn up in the certificate. But `curl` doesn't seem to like it.
Rather than try to figure out why `curl` gets upset, it's easier to just
use "hostname" syntax in the healthcheck URL. In other words:

```
https://gitea:3000
```

rather than:

```
https://localhost:3000
```

Although it isn't strictly necessary for HTTP, I used "hostname"
syntax for that URL too, for consistency.

Unlike `localhost`, "hostname" syntax also steers clear of IPv6 `::1`.

Documentation updated to include instructions for swapping the
healthcheck URLs when enabling HTTPS.

Signed-off-by: Phill Kelley &lt;34226495+Paraphraser@users.noreply.github.com&gt;
diff --git a/.templates/gitea/service.yml b/.templates/gitea/service.yml
@@ -19,10 +19,9 @@ gitea:
     - GITEA__security__INSTALL_LOCK=true
     - GITEA__security__SECRET_KEY=${GITEA_SECRET_KEY}
     - GITEA__security__INTERNAL_TOKEN=${GITEA_INTERNAL_TOKEN}
-
-
   healthcheck:
-    test: ["CMD", "curl", "-f", "http://localhost:3000"]
+    test: ["CMD", "curl", "-sf4", "-o", "/dev/null", "http://gitea:3000"]
+  # test: ["CMD", "curl", "-sf4", "--cacert", "/data/git/cert.pem", "-o", "/dev/null", "https://gitea:3000"]
     interval: 30s
     timeout: 10s
     retries: 5
diff --git a/docs/Containers/Gitea.md b/docs/Containers/Gitea.md
@@ -113,14 +113,9 @@ Environment variables need to be set in several stages:
 	- Generate a self-signed certificate:
 
 		``` console
-		$ docker exec gitea gitea cert --host «hostname»
+		$ docker exec gitea bash -c 'cd /data/git ; gitea cert --host gitea'
 		```
 
-		where `«hostname»` should be the first part of the fully-qualified domain name that the **user** uses to reach the Gitea service. Examples:
-
-		* `gitea.my.domain.com` = `gitea`
-		* `host.my.domain.com` = `host`
-
 	- Uncomment the following environment variables in the service definition:
 
 		``` yaml
@@ -132,6 +127,22 @@ Environment variables need to be set in several stages:
 
 		These variables tell Gitea where to find the X.509 certificate and matching private key that were generated in the first step.
 
+	- swap the comments on the `test` lines in the `healthcheck` clause:
+
+		``` yaml
+		healthcheck:
+		  test: ["CMD", "curl", "-sf4", "-o", "/dev/null", "http://gitea:3000"]
+		# test: ["CMD", "curl", "-sf4", "--cacert", "/data/git/cert.pem", "-o", "/dev/null", "https://gitea:3000"]
+		```
+
+		In other words, the final result should look like this:
+
+		``` yaml
+		healthcheck:
+		# test: ["CMD", "curl", "-sf4", "-o", "/dev/null", "http://gitea:3000"]
+		  test: ["CMD", "curl", "-sf4", "--cacert", "/data/git/cert.pem", "-o", "/dev/null", "https://gitea:3000"]
+		```
+
 	- Tell Gitea to enable HTTPS:
 
 		``` console
@@ -149,7 +160,14 @@ Environment variables need to be set in several stages:
 
 	Notes:
 
-	* The certificate has a one-year lifetime. It can be regenerated at any time by re-running the command provided earlier.
+	* The certificate has a one-year lifetime. It can be regenerated at any time by re-running the command provided earlier. You could, for example, embed it in a `cron` job, like this:
+
+		``` crontab
+		5    0     1    1,7  *   docker exec gitea bash -c 'cd /data/git ; gitea cert --host gitea' >/dev/null 2>&1
+		```
+
+		In words, run the command "at five minutes after midnight on the first of January and the first of July".
+
 	* Gitea also supports LetsEncrypt. See [using ACME with Let's Encrypt](https://docs.gitea.com/administration/https-setup#using-acme-default-lets-encrypt).
 
 ## database root password  { #rootpw }
