Skip to content

Support internal CA or self-signed TLS certificates for all external communication

Created by: sfllaw

  • Issue type: Feature Request
  • Sourcegraph version: 2.7.6
  • OS Version: N/A
  • Docker version: N/A

We have a private GitHub Enterprise instance running under a self-signed private Certificate Authority. Because of this, we need to tell the Sourcegraph image about this CA, or Git will complain:

fatal: unable to access 'https://github.example.com/user/repo.git': server certificate verification failed.

The configuration option in github.certificate is available, but it only applies to Sourcegraph, not to processes that gitserver controls. As well, since it only seems to handle server certificates and not CAs, it will have to be updated every time the GitHub Enterprise server rotates its certs.

Our workaround, which you are welcome to document, is to install the certificate in the Docker image, so the OS handles it. In a Dockerfile:

FROM sourcegraph/server:2.7.6
COPY ssl/certificate-authority.crt /usr/local/share/ca-certificates
RUN /usr/sbin/update-ca-certificates

Running this derived image makes everything work magically, because Sourcegraph also trusts the CAs provided by the OS.