Description
- Gitea version (or commit ref): 1.7
When running gitea with configuration like:
PROTOCOL = https
DOMAIN = example.com
HTTP_PORT = 443
ROOT_URL = https://example.com/
ENABLE_LETSENCRYPT = true
And pushing to a repository (in my case over SSH), gitea errors with message:
[T] GetRepositoryByOwnerAndName: https://localhost:443/api/internal/repo/username/reponame
[...io/gitea/cmd/serv.go:194 runServ()] [F] Failed to get repository: Get https://localhost:443/api/internal/repo/username/reponame: remote error: tls: internal error
This happens as localhost naturally isn't a valid domain name in the certificate provided by the HTTP server component.
Why is localhost selected for a domain then? In modules/setting/setting.go:824-832 the variable HTTP_ADDR : (the address to bind the web service to) is used, and if it's set to 0.0.0.0, "localhost" will be used as domain for the internal HTTP API call.
This issue can be alleviated by setting variable LOCAL_ROOT_URL to include the FQDN that the x509 certificate is issued for.
However the documentation regarding this issue isn't too clear:
LOCAL_ROOT_URL: %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/: Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. In most cases you do not need to change the default value. Alter it only if your SSH server node is not the same as HTTP node. Do not set this variable if PROTOCOL is set to unix.
My suggestion is to clarify the documentation, and to either make the local API URL generation more sophisticated to include this use case, or to use
&http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
to omit the certificate verification when accessing a localhost URL.