Certificate error

[elettrico]

Hi, I'm trying to use sourcebot for indexing a self-hosted instance.
When I start the docker image it immediately stop with this error:

[backend] | 2024-11-29T13:13:42.246Z debug: [GitLab] Fetching all projects visible in https://gitlab.*****.com....
[backend] | 2024-11-29T13:13:42.349Z error: [main] Failed to sync configuration file /data/config.json with error:
[backend] | TypeError: fetch failed
[backend] |     at node:internal/deps/undici/undici:13392:13
[backend] |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[backend] |     at async defaultRequestHandler (file:///app/node_modules/@gitbeaker/rest/dist/index.mjs:66:22)
[backend] |     at async file:///app/node_modules/@gitbeaker/core/dist/index.mjs:99:22
[backend] |     at async measure (file:///app/packages/backend/dist/utils.js:5:18)
[backend] |     at async getGitLabReposFromConfig (file:///app/packages/backend/dist/gitlab.js:23:53)
[backend] |     at async syncConfig (file:///app/packages/backend/dist/main.js:109:37)
[backend] |     at async measure (file:///app/packages/backend/dist/utils.js:5:18)
[backend] |     at async _syncConfig (file:///app/packages/backend/dist/main.js:191:36)
[backend] |     at async main (file:///app/packages/backend/dist/main.js:226:5) {
[backend] |   [cause]: Error: unable to verify the first certificate
[backend] |       at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)
[backend] |       at TLSSocket.emit (node:events:518:28)
[backend] |       at TLSSocket._finishInit (node:_tls_wrap:1076:8)
[backend] |       at ssl.onhandshakedone (node:_tls_wrap:862:12) {
[backend] |     code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
[backend] |   }

while debug is active, it's not very clear to me which certificate it's complaining about (I suppose it doesn't like my gitlab instance has a self-signed certificate, also I am behind a proxy) and how can I inject my certificates or eventually ignore them.

Is there a way to do it?

Thanks

[brendan-kellam]

Heya - looking at the GitBeaker docs it mentions that you can use the NODE_EXTRA_CA_CERTS to inject your own certs.

Could you try adding -v /path/to/cert.pem:/app/cert.pem -e NODE_EXTRA_CA_CERTS=/app/cert.pem to your docker run command?

[elettrico]

Thank you, it seems to start with that option and the interface shows "indexing in progress...".
Anyway, the cloning doesn't work:

[backend] | 2024-12-02T15:55:45.880Z info: [main] Cloning gitlab.mydomain.com/group/repo.git...
[backend] | 2024-12-02T15:55:45.918Z error: [main] Cloning into bare repository '/data/.sourcebot/repos/gitlab.mydomain.com/group/repo.git'...
[backend] | fatal: unable to access 'https://gitlab.mydomain.com/group/repo.git/': SSL certificate problem: unable to get local issuer certificate
[backend] |
[backend] | Error: Cloning into bare repository '/data/.sourcebot/repos/gitlab.mydomain.com/group/repo.git'...
[backend] | fatal: unable to access 'https://gitlab.mydomain.com/group/repo.git/': SSL certificate problem: unable to get local issuer certificate
[backend] |
[backend] | at Object.action (file:///app/node_modules/simple-git/dist/esm/index.js:4462:25)
[backend] | at PluginStore.exec (file:///app/node_modules/simple-git/dist/esm/index.js:4501:25)
[backend] | at file:///app/node_modules/simple-git/dist/esm/index.js:1369:43
[backend] | at new Promise ()
[backend] | at GitExecutorChain.handleTaskData (file:///app/node_modules/simple-git/dist/esm/index.js:1367:16)
[backend] | at GitExecutorChain. (file:///app/node_modules/simple-git/dist/esm/index.js:1351:44)
[backend] | at Generator.next ()
[backend] | at fulfilled (file:///app/node_modules/simple-git/dist/esm/index.js:45:24)
[backend] | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

[elettrico]

Tried also with "-e NODE_TLS_REJECT_UNAUTHORIZED='0'" with no success

[elettrico]

The approach of simple-git in case of self-signed certificates is basically to ignore them: steveukx/git-js#626
While I think it's pretty dangerous to ignore certificates, it is a workaround that can temporarily solve the problem while waiting for a better solution. It there a way to pass the "http.sslVerify=false" to simple-git?

[elettrico]

So, I've resolved the certificate problem mounting the hosts trusted certificates into the container:

docker run -d -p 80:3000-e SOURCEBOT_LOG_LEVEL=debug --rm --name sourcebot -v /etc/sourcebot:/data -v /etc/pki/ca-trust/source/anchors/my-cert.pem:/app/cert.pem -e NODE_EXTRA_CA_CERTS=/app/cert.pem -v /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro -e CONFIG_PATH=/data/config.json ghcr.io/sourcebot-dev/sourcebot:latest
the host is a RHEL 9 so the certificates file are in a different location so you have to adapt the command to your needs.
This also works, but is of course more insecure:

docker run -d -p 80:3000 -e SOURCEBOT_LOG_LEVEL=debug --rm --name sourcebot -v /etc/sourcebot:/data -v /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro -e NODE_TLS_REJECT_UNAUTHORIZED=0 -e CONFIG_PATH=/data/config.json ghcr.io/sourcebot-dev/sourcebot:latest

Maybe it's worth to add to the documentation?

[brendan-kellam]

Nice thanks for listing your solution - agreed that we should add docs for this, I will try to get to it soon.

Just so I understand more: mounting my-cert.pem fixed errors when calling the gitlab API, and then mounting ca-bundle.crt fixed errors when doing git operations? Is my-cert.pem your private CA cert? What is the ca-bundle.crt

[elettrico]

Hi,

• "my-cert.pem" is the the certificate used by gitlab
• "ca-bundle.crt" is a bundle of all certificates (intermediate certs included) trusted by the host, it includes the same certificate (my-cert.pem) and its certificates chain. This file depends on the OS, in this case is where RHEL9 store the trusted certs.