Can't connect to Gitea due to SSL cert error - CA Certs not workingΒ #48
Description
version: v3.0.1
type: docker
Error seen when configuring Gitea connect:
2025-07-19T10:54:40.625551428Z Gitea connection test failed: 1 | class HttpError extends Error {
2025-07-19T10:54:40.626195388Z 2 | constructor(message, status, statusText, response) {
2025-07-19T10:54:40.626254655Z 3 | super(message);
2025-07-19T10:54:40.626316503Z ^
2025-07-19T10:54:40.626366207Z HttpError: Network error: unable to get local issuer certificate
2025-07-19T10:54:40.626426086Z status: 0,
2025-07-19T10:54:40.626470196Z statusText: "Network Error",
2025-07-19T10:54:40.626521769Z response: undefined,
2025-07-19T10:54:40.626563942Z
2025-07-19T10:54:40.626612647Z at new HttpError (/app/dist/server/chunks/http-client_CVSk-VJJ.mjs:3:5)
2025-07-19T10:54:40.626750595Z at httpRequest (/app/dist/server/chunks/http-client_CVSk-VJJ.mjs:72:11)
2025-07-19T10:54:40.626820919Z
2025-07-19T10:54:46.355674383Z Gitea connection test failed: 1 | class HttpError extends Error {
2025-07-19T10:54:46.356251672Z 2 | constructor(message, status, statusText, response) {
2025-07-19T10:54:46.356322216Z 3 | super(message);
Gtea domain: gitea.lan..com
I have valid private ROOT CA + Intermediate CA. I added the CAs to /app/certs and can confirm they bundled & used (at least according to logs)
Confirming I have certs in place:
$ ls /volume2/docker/gitmirror/certs
ca-bundle.crt mike-intermediate-ca.crt mike-root-ca.crtAny help appreicated!
Also on another note, variable NODE_EXTRA_CA_CERTS according to https://github.com/RayLabsHQ/gitea-mirror/blob/main/certs/README.md does not work! This is because the variable is overwritten in docker-entrypoint bash script
gitea-mirror/docker-entrypoint.sh
Line 25 in 8d29197
Docker config:
services:
gitea-mirror:
image: ghcr.io/raylabshq/gitea-mirror:v3.0.1
container_name: gitea-mirror
restart: unless-stopped
user: 1026:100
ports:
- "4321:4321"
volumes:
- /volume2/docker/gitmirror/data:/app/data
- /volume2/docker/gitmirror/certs:/app/certs
environment:
- TZ=Europe/Berlin
- NODE_ENV=production
- DATABASE_URL=file:data/gitea-mirror.db
- HOST=0.0.0.0
- PORT=4321
- BETTER_AUTH_SECRET=<secret>
- BETTER_AUTH_URL=https://gitmirror.lan.mydomain.tld
- ENCRYPTION_SECRET=<secret>
- GITHUB_USERNAME=<secret>
- GITHUB_TOKEN=<secret>
- SKIP_FORKS=true
- PRIVATE_REPOSITORIES=true
- MIRROR_ISSUES=false
- MIRROR_WIKI=false
- MIRROR_STARRED=true
- MIRROR_ORGANIZATIONS=false
- PRESERVE_ORG_STRUCTURE=false
- ONLY_MIRROR_ORGS=false
- SKIP_STARRED_ISSUES=false
- GITEA_URL=https://gitea.lan.mydomain.tld
- GITEA_TOKEN=<secret>
- GITEA_USERNAME=dot-mike
- GITEA_ORGANIZATION=github-mirrors
- GITEA_ORG_VISIBILITY=private
- DELAY=${DELAY:-3600}
# Optional: Skip TLS verification (insecure, use only for testing)
# - GITEA_SKIP_TLS_VERIFY=${GITEA_SKIP_TLS_VERIFY:-false}
# Header Authentication (for Reverse Proxy SSO)
- HEADER_AUTH_ENABLED=${HEADER_AUTH_ENABLED:-false}
- HEADER_AUTH_USER_HEADER=${HEADER_AUTH_USER_HEADER:-X-Authentik-Username}
- HEADER_AUTH_EMAIL_HEADER=${HEADER_AUTH_EMAIL_HEADER:-X-Authentik-Email}
- HEADER_AUTH_NAME_HEADER=${HEADER_AUTH_NAME_HEADER:-X-Authentik-Name}
- HEADER_AUTH_AUTO_PROVISION=${HEADER_AUTH_AUTO_PROVISION:-false}
- HEADER_AUTH_ALLOWED_DOMAINS=${HEADER_AUTH_ALLOWED_DOMAINS:-}
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=3", "--spider", "http://localhost:4321/api/health"]
interval: 30s
timeout: 10s
retries: 5
start_period: 15s
networks:
- caddy
labels:
caddy: gitmirror.lan.mydomain.tld
caddy.reverse_proxy: "{{upstreams 4321}}"
networks:
caddy:
external: true
Full docker logs attached