Spike- how to solve the use case of url and cert_url not using the same certificate
Scope
Investigate and propose a solution in issue 288869 for the case of url
and cert_url
not using the same certificate.
The summary of the current idea is as follows:
-
Add a new command to the helper.
-
The new command will not export the whole system store as this is not possible with the x509 package.
-
The new command will request the FQDN for the server pointed to by
clone_url
and will build the additional certificate chain from that. This chain could be added to the one created by the Runner (which is based on the value ofurl
) -
Check on how to workaround Go's default HTTP client behavior of immediate following of redirect responses (
301
,302
,307
,308
)
Background
- In issue Append system store to CI_SERVER_TLS_CA_FILE wi... (#28869) we found that the `x509.CertPool struct does not provide an option to export the certificates. The exported certificates are needed to include in a file used by Git.
The x509.CertPool
package can be used for certificate verification but only in Go.
Edited by Darren Eastman