Pages chroot doesn't copy Custom CA - breaking HTML artifacts
From !51 (merged):
On top of that
gitlab-pages
chroot deamon will now create a complete jail with/etc/resolv.conf
, a copy ofSSL_CERT_FILE
placed in/etc/ssl/ca-bundle.pem
, and a bind mount ofpages-root
on/pages
.
SSL_CERT_FILE
is the bundle located at /opt/gitlab/embedded/ssl/certs/cacert.pem
, however we have added our own custom CA to /etc/gitlab/trusted-certs/customcacert.pem
as per https://docs.gitlab.com/omnibus/settings/ssl.html#details-on-how-gitlab-and-ssl-work
From looking at https://gitlab.com/gitlab-org/gitlab-pages/blob/master/daemon.go#L126 I can see that the single SSL_CERT_FILE
is copied, but I do not see anything attempting to copy custom CAs.
The result of this is that HTML artifacts are unable to be seen via the pages daemon, presumably as it requests it via our internal domain, served with a cert signed by our custom CA.