mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-18 00:14:44 -05:00
LDAP with custom root CA #6567
Open
opened 2025-11-02 06:59:47 -06:00 by GiteaMirror
·
15 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#6567
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mddeff on GitHub (Dec 22, 2020).
[x]):Description
Gitea doesn't provide a method for allowing admins to inject custom root CAs for LDAPS authentication. Most web applications that I've used which leverage LDAP allow for admins to paste in a root CA for doing ldap authentication.
Scope
If you can add your CA cert to the root trust store for the OS, then you're golden. For regular VM/bare metal installs, this is almost a non-issue. In most cases, those hosts would likely be joined to your domain (IPA or AD) and likely have the root CA cert for your domain already added.
For docker/kubernetes, this is a non-starter. You have to either:
/etc/ssl/certs/ca-certificates.crt) is ephemeral and subsequently not 'durable'volumeMountover the existing system cert storeWorkaround
Based off of the alpine linux image, one can update the root store like so:
But as mentioned above, (for docker/kube at least), this is very fragile.
This issue is not new as it's been alluded to in #6335 and #13396.
Thoughts?
@mddeff commented on GitHub (Dec 22, 2020):
Looks like there are other that are having issues with the docker image not being able to affect the container CA trust store. (#2744)
Maybe the best solution is to have the docker container update the CA truststore on boot. This way all people have to do is mount a config map into
/usr/local/share/ca-certificatesand you're good to go. There are obvious security implications to this (auto-importing CA certificates), but I think that if somebody ca affect what your configMaps are, they can swap out the "image" spec and run amok anyways.@delfuego commented on GitHub (Feb 10, 2021):
Count me as someone who has to disable TLS verification for my LDAPS server, since it's signed by an internal-CA chain. I certainly would advocate for some way to load additional certificates into the root trust store of a Dockerized Gitea image!
@Dunky13 commented on GitHub (May 19, 2021):
Same here, but for oauth OIDC.
@mddeff commented on GitHub (May 19, 2021):
Thinking about this more, many apps allow for admin-provided CA certs specifically for LDAP authentication. I cant think of a single instance where my LDAP server (IPA or AD) has had it's certs in a chain that's distributed with OSes. Typically, this same chain needs to have a CA somewhere towards the top that the auth service can control for other signing reasons (krb, client certs, etc), Subsequently, the LDAP/Auth CA's cert won't be signed by anybody in the main trust stores (because they aren't going to sign CA Certs with it's own signing power).
Support for custom LDAP CAs
Hashicorp Vault
Rancher
gitlab
While adding support in gittea is inherently a larger lift, I think its the "better" solution (at least, the more common one). Barring that, the proposed solution of having the container bootstrap in certs would work too. I could go either way.
@matthias-colt commented on GitHub (Jul 13, 2021):
How can the certificate check with ldaps be disabled on current Gitea release?
I can only see an option "Skip TLS Verify" in the SMTP section but not for LDAP config.
@th3r3d commented on GitHub (Sep 13, 2021):
Can be done same for OAuth OIDC as suggested by Dunky13 pls.
@zeripath commented on GitHub (Sep 13, 2021):
Skip TLS verify is already in 1.16
@th3r3d commented on GitHub (Sep 13, 2021):
Sorry didnt check roadmap for 1.16. Thank you
@johannagnarsson commented on GitHub (Nov 7, 2022):
Are there any plans of having the container update the ca trust store on boot? currently we need to run it manually inside the container which isn't really feasible.
@sei-mkaar commented on GitHub (Nov 7, 2022):
@johannagnarsson We found that certificates mounted in
/etc/ssl/certsare added to the container trust store automatically. Here's a working Helm config that demonstrates it:https://github.com/cmu-sei/foundry-appliance/blob/main/foundry/common/gitea.values.yaml#L227
Credit to this blog for the idea:
https://schemesandnotions.io/posts/giteadroneselfsignedtls/#gitea---droneci
@johannagnarsson commented on GitHub (Nov 7, 2022):
That totally worked! I was mounting my certs into the "recommended" alpine directory
/usr/local/share/ca-certificates/which wasn't working. Thank you so much for that @sei-mkaar !!@justusbunsi commented on GitHub (Nov 14, 2022):
Awesome, this is working 🤯. Thanks for sharing @sei-mkaar and to the unknown author of the mentioned blog post.
@sei-mkaar commented on GitHub (Nov 17, 2022):
You're welcome. 😄
And it looks like this is a feature of the Go
crypto/x509standard library and not necessarily specific to Gitea. Good to know when adding custom certs to other apps.https://github.com/golang/go/issues/12139
@bidek commented on GitHub (Nov 23, 2023):
Is this workaround should work in 1.21.0 version ?
I tried to mount my custom ca at /etc/ssl/certs/customCA.crt. And i see it from container but unless i invoke update-ca-certificates my custom cert is not "registered". For obvious reasons "login" inside container and invoke update-ca-certificates is not an option.
On host side, file have 644 permission and its owned by root
@mddeff commented on GitHub (Nov 23, 2023):
@sei-mkaar , so thats really funny, because it turns out that's actually my blog! Its amazing how much we forget about previous problems when trying to solve new ones. Glad that helped!