Allow CA root certificate used by HTTP client to be configured
Antora uses an HTTP client (got) to download the UI bundle from a remote URL. However, in certain environments, the default settings are not sufficient. One of these cases is when the remote server is using a self-signed certificate. Even if the certificate is registered on the local machine (such as in a Docker container), got will not pick it up and thus the connection to the server will be rejected. As a result, Antora cannot download the UI bundle.
A quick workaround to this problem is to instruct Node not to reject unauthorized requests by setting the NODE_TLS_REJECT_UNAUTHORIZED to 0 when calling Antora:
NODE_TLS_REJECT_UNAUTHORIZED=0 antora antora-playbook.yml
A more long-term solution is to allow the CA root certificate file be configured so the HTTP client can load it (which configures got's
ca option). For example:
got: ca: path: /etc/ssl/certs/ca-certificates.crt
We might also consider allowing the rejection of unauthorized requests to be configured (which configures got's
got: reject_unauthorized: false
(Since this behavior is specific to UI, we could also consider adding these keys under the
This leaves room for other options as the need arises.