[GH-ISSUE #48] Can't connect to Gitea due to SSL cert error - CA Certs not working #23

New issue

Closed

opened 2026-02-27 15:54:36 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 15:54:36 +03:00

Owner

Originally created by @dot-mike on GitHub (Jul 19, 2025).
Original GitHub issue: https://github.com/RayLabsHQ/gitea-mirror/issues/48

version: v3.0.1
type: docker

Error seen when configuring Gitea connect:

2025-07-19T10:54:40.625551428Z Gitea connection test failed: 1 | class HttpError extends Error {
2025-07-19T10:54:40.626195388Z 2 |   constructor(message, status, statusText, response) {
2025-07-19T10:54:40.626254655Z 3 |     super(message);
2025-07-19T10:54:40.626316503Z         ^
2025-07-19T10:54:40.626366207Z HttpError: Network error: unable to get local issuer certificate
2025-07-19T10:54:40.626426086Z      status: 0,
2025-07-19T10:54:40.626470196Z  statusText: "Network Error",
2025-07-19T10:54:40.626521769Z    response: undefined,
2025-07-19T10:54:40.626563942Z
2025-07-19T10:54:40.626612647Z       at new HttpError (/app/dist/server/chunks/http-client_CVSk-VJJ.mjs:3:5)
2025-07-19T10:54:40.626750595Z       at httpRequest (/app/dist/server/chunks/http-client_CVSk-VJJ.mjs:72:11)
2025-07-19T10:54:40.626820919Z
2025-07-19T10:54:46.355674383Z Gitea connection test failed: 1 | class HttpError extends Error {
2025-07-19T10:54:46.356251672Z 2 |   constructor(message, status, statusText, response) {
2025-07-19T10:54:46.356322216Z 3 |     super(message);

Gtea domain: gitea.lan..com
I have valid private ROOT CA + Intermediate CA. I added the CAs to /app/certs and can confirm they bundled & used (at least according to logs)

Confirming I have certs in place:
$ ls /volume2/docker/gitmirror/certs

ca-bundle.crt  mike-intermediate-ca.crt  mike-root-ca.crt

Any help appreicated!

Also on another note, variable NODE_EXTRA_CA_CERTS according to https://github.com/RayLabsHQ/gitea-mirror/blob/main/certs/README.md does not work! This is because the variable is overwritten in docker-entrypoint bash script

github.com/RayLabsHQ/gitea-mirror@8d2919717f/docker-entrypoint.sh (L25)

Docker config:

services:
  gitea-mirror:
    image: ghcr.io/raylabshq/gitea-mirror:v3.0.1
    container_name: gitea-mirror
    restart: unless-stopped
    user: 1026:100
    ports:
      - "4321:4321"
    volumes:
      - /volume2/docker/gitmirror/data:/app/data
      - /volume2/docker/gitmirror/certs:/app/certs
    environment:
      - TZ=Europe/Berlin
      - NODE_ENV=production
      - DATABASE_URL=file:data/gitea-mirror.db
      - HOST=0.0.0.0
      - PORT=4321
      - BETTER_AUTH_SECRET=<secret>
      - BETTER_AUTH_URL=https://gitmirror.lan.mydomain.tld
      - ENCRYPTION_SECRET=<secret>
      - GITHUB_USERNAME=<secret>
      - GITHUB_TOKEN=<secret>
      - SKIP_FORKS=true
      - PRIVATE_REPOSITORIES=true
      - MIRROR_ISSUES=false
      - MIRROR_WIKI=false
      - MIRROR_STARRED=true
      - MIRROR_ORGANIZATIONS=false
      - PRESERVE_ORG_STRUCTURE=false
      - ONLY_MIRROR_ORGS=false
      - SKIP_STARRED_ISSUES=false
      - GITEA_URL=https://gitea.lan.mydomain.tld
      - GITEA_TOKEN=<secret>
      - GITEA_USERNAME=dot-mike
      - GITEA_ORGANIZATION=github-mirrors
      - GITEA_ORG_VISIBILITY=private
      - DELAY=${DELAY:-3600}
      # Optional: Skip TLS verification (insecure, use only for testing)
      # - GITEA_SKIP_TLS_VERIFY=${GITEA_SKIP_TLS_VERIFY:-false}
      # Header Authentication (for Reverse Proxy SSO)
      - HEADER_AUTH_ENABLED=${HEADER_AUTH_ENABLED:-false}
      - HEADER_AUTH_USER_HEADER=${HEADER_AUTH_USER_HEADER:-X-Authentik-Username}
      - HEADER_AUTH_EMAIL_HEADER=${HEADER_AUTH_EMAIL_HEADER:-X-Authentik-Email}
      - HEADER_AUTH_NAME_HEADER=${HEADER_AUTH_NAME_HEADER:-X-Authentik-Name}
      - HEADER_AUTH_AUTO_PROVISION=${HEADER_AUTH_AUTO_PROVISION:-false}
      - HEADER_AUTH_ALLOWED_DOMAINS=${HEADER_AUTH_ALLOWED_DOMAINS:-}
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=3", "--spider", "http://localhost:4321/api/health"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 15s
    networks:
      - caddy
    labels:
      caddy: gitmirror.lan.mydomain.tld
      caddy.reverse_proxy: "{{upstreams 4321}}"

networks:
  caddy:
    external: true

Full docker logs attached

logs.txt

Originally created by @dot-mike on GitHub (Jul 19, 2025). Original GitHub issue: https://github.com/RayLabsHQ/gitea-mirror/issues/48 version: v3.0.1 type: docker Error seen when configuring Gitea connect: ``` 2025-07-19T10:54:40.625551428Z Gitea connection test failed: 1 | class HttpError extends Error { 2025-07-19T10:54:40.626195388Z 2 | constructor(message, status, statusText, response) { 2025-07-19T10:54:40.626254655Z 3 | super(message); 2025-07-19T10:54:40.626316503Z ^ 2025-07-19T10:54:40.626366207Z HttpError: Network error: unable to get local issuer certificate 2025-07-19T10:54:40.626426086Z status: 0, 2025-07-19T10:54:40.626470196Z statusText: "Network Error", 2025-07-19T10:54:40.626521769Z response: undefined, 2025-07-19T10:54:40.626563942Z 2025-07-19T10:54:40.626612647Z at new HttpError (/app/dist/server/chunks/http-client_CVSk-VJJ.mjs:3:5) 2025-07-19T10:54:40.626750595Z at httpRequest (/app/dist/server/chunks/http-client_CVSk-VJJ.mjs:72:11) 2025-07-19T10:54:40.626820919Z 2025-07-19T10:54:46.355674383Z Gitea connection test failed: 1 | class HttpError extends Error { 2025-07-19T10:54:46.356251672Z 2 | constructor(message, status, statusText, response) { 2025-07-19T10:54:46.356322216Z 3 | super(message); ``` Gtea domain: gitea.lan.<mydomain>.com I have valid private ROOT CA + Intermediate CA. I added the CAs to `/app/certs` and can confirm they bundled & used (at least according to logs) Confirming I have certs in place: `$ ls /volume2/docker/gitmirror/certs` ```bash ca-bundle.crt mike-intermediate-ca.crt mike-root-ca.crt ``` **Any help appreicated!** Also on another note, variable `NODE_EXTRA_CA_CERTS` according to <https://github.com/RayLabsHQ/gitea-mirror/blob/main/certs/README.md> does not work! This is because the variable is overwritten in docker-entrypoint bash script https://github.com/RayLabsHQ/gitea-mirror/blob/8d2919717fee1fa644dd7d46bc4feef297c16444/docker-entrypoint.sh#L25 Docker config: ``` services: gitea-mirror: image: ghcr.io/raylabshq/gitea-mirror:v3.0.1 container_name: gitea-mirror restart: unless-stopped user: 1026:100 ports: - "4321:4321" volumes: - /volume2/docker/gitmirror/data:/app/data - /volume2/docker/gitmirror/certs:/app/certs environment: - TZ=Europe/Berlin - NODE_ENV=production - DATABASE_URL=file:data/gitea-mirror.db - HOST=0.0.0.0 - PORT=4321 - BETTER_AUTH_SECRET=<secret> - BETTER_AUTH_URL=https://gitmirror.lan.mydomain.tld - ENCRYPTION_SECRET=<secret> - GITHUB_USERNAME=<secret> - GITHUB_TOKEN=<secret> - SKIP_FORKS=true - PRIVATE_REPOSITORIES=true - MIRROR_ISSUES=false - MIRROR_WIKI=false - MIRROR_STARRED=true - MIRROR_ORGANIZATIONS=false - PRESERVE_ORG_STRUCTURE=false - ONLY_MIRROR_ORGS=false - SKIP_STARRED_ISSUES=false - GITEA_URL=https://gitea.lan.mydomain.tld - GITEA_TOKEN=<secret> - GITEA_USERNAME=dot-mike - GITEA_ORGANIZATION=github-mirrors - GITEA_ORG_VISIBILITY=private - DELAY=${DELAY:-3600} # Optional: Skip TLS verification (insecure, use only for testing) # - GITEA_SKIP_TLS_VERIFY=${GITEA_SKIP_TLS_VERIFY:-false} # Header Authentication (for Reverse Proxy SSO) - HEADER_AUTH_ENABLED=${HEADER_AUTH_ENABLED:-false} - HEADER_AUTH_USER_HEADER=${HEADER_AUTH_USER_HEADER:-X-Authentik-Username} - HEADER_AUTH_EMAIL_HEADER=${HEADER_AUTH_EMAIL_HEADER:-X-Authentik-Email} - HEADER_AUTH_NAME_HEADER=${HEADER_AUTH_NAME_HEADER:-X-Authentik-Name} - HEADER_AUTH_AUTO_PROVISION=${HEADER_AUTH_AUTO_PROVISION:-false} - HEADER_AUTH_ALLOWED_DOMAINS=${HEADER_AUTH_ALLOWED_DOMAINS:-} healthcheck: test: ["CMD", "wget", "--no-verbose", "--tries=3", "--spider", "http://localhost:4321/api/health"] interval: 30s timeout: 10s retries: 5 start_period: 15s networks: - caddy labels: caddy: gitmirror.lan.mydomain.tld caddy.reverse_proxy: "{{upstreams 4321}}" networks: caddy: external: true ``` Full docker logs attached [logs.txt](https://github.com/user-attachments/files/21327425/logs.txt)

kerem closed this issue

2026-02-27 15:54:37 +03:00

kerem commented

2026-02-27 15:54:37 +03:00

Author

Owner

@arunavo4 commented on GitHub (Jul 19, 2025):

Give me some time I will test this and let you know there was a similar issue someone had and the solution in readme worked.

@arunavo4 commented on GitHub (Jul 19, 2025): Give me some time I will test this and let you know there was a similar issue someone had and the solution in readme worked.

kerem commented

2026-02-27 15:54:37 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 22, 2025):

@dot-mike did you figure it out ?

@arunavo4 commented on GitHub (Oct 22, 2025): @dot-mike did you figure it out ?

kerem commented

2026-02-27 15:54:37 +03:00

Author

Owner

@dot-mike commented on GitHub (Oct 22, 2025):

Thanks for reaching back to me. I've since moved on to using a simple bash script to execute mirroring. So in a way I resolved it...

@dot-mike commented on GitHub (Oct 22, 2025): Thanks for reaching back to me. I've since moved on to using a simple bash script to execute mirroring. So in a way I resolved it...