[BUG] Unable to connect to self-hosted gitlab over https when internal CA is used

[abpetrov]

📋 Checklist

• I’m running the latest main or a recent release.
• I’ve searched existing issues and no open issue covers this bug.
• If this is a build problem, I attached the full error log.

---

What version?

kingfisher --version 1.28.0

🐞 What happened?

I am trying to connect to a self-hosted gitlab instance which uses a certificate from an internal CA and kingfisher fails with UnknownIssuer. The internal CA is trusted by the OS.

✅ What did you expect to happen?

Connection to self-hosted gitlab via https with internal CA should succeed.

🔢 Reproduction steps

I tried the following:

1. Run kingfisher directly

kingfisher gitlab repos list --gitlab-api-url="https://server.local/"
 INFO kingfisher::update: Checking for updates…
 WARN kingfisher::update: Failed to check for updates
Error: api error: client error: communication with gitlab: error sending request for url (https://server.local/api/v4/user?)

Caused by:
    0: client error: communication with gitlab: error sending request for url (https://server.local/api/v4/user?)
    1: communication with gitlab: error sending request for url (https://server.local/api/v4/user?)
    2: error sending request for url (https://server.local/api/v4/user?)
    3: client error (Connect)
    4: invalid peer certificate: UnknownIssuer

2. Specify environment variable with the CA bundle.

SSL_CERT_FILE="/etc/pki/tls/certs/ca-bundle.crt" ./kingfisher gitlab repos list --gitlab-api-url="https://server.local/"
 INFO kingfisher::update: Checking for updates…
 WARN kingfisher::update: Failed to check for updates
Error: api error: client error: communication with gitlab: error sending request for url (https://server.local/api/v4/user?)

Caused by:
    0: client error: communication with gitlab: error sending request for url (https://server.local/api/v4/user?)
    1: communication with gitlab: error sending request for url (https://server.local/api/v4/user?)
    2: error sending request for url (https://server.local/api/v4/user?)
    3: client error (Connect)
    4: invalid peer certificate: UnknownIssuer

💻 Environment

Item	Value
OS / Distro	Red Hat Enterprise Linux release 9.6
kingfisher ver.	1.28.0

[mickgmdb]

Thank you for reporting this issue @abpetrov ! I'll review it this week and get it fixed.

[mickgmdb]

@abpetrov - This issue should now be resolved: #74

It will be in v1.34.0, which is building now, and should be available in the releases section here in about 60 minutes.

[abpetrov]

Hi Mick,

It works when I specify the SSL_CERT_FILE environment variable, but still fails with UnknownIssuer, when I don't specify it. As a sanity check I ran curl https://server.local/api/v4/user? and it connects OK without the need of SSL_CERT_FILE environment variable.

Thanks,
Alex.

[mickgmdb]

Does it work if you install the certificates in your system cert store? That's ultimately the change that I made, to have Kingfisher read from the system's cert store.

[abpetrov]

The certificates are already installed in the system cert store. The command SSL_CERT_FILE="/etc/pki/tls/certs/ca-bundle.crt" ./kingfisher gitlab repos list --gitlab-api-url="https://server.local/", which works, points the environment variable to read the system cert store of RHEL, but if I don't specify SSL_CERT_FILE, it doesn't work.

[mickgmdb]

I'm going to set this up locally so that I can test it directly myself. Stay posted.