SSL trusted certificates do not apply to git shell operations

Overview

Custom or self signed certificates can be added to /etc/gitlab/trusted-certs/ https://docs.gitlab.com/omnibus/common_installation_problems/README.html#install-custom-certificate-authorities

These apply to external services used by the GitLab rails application. However do not apply to operations performed by GitLab shell. Specifically import operations https://gitlab.com/gitlab-org/gitlab-shell/blob/master/lib/gitlab_projects.rb#L250

Workaround

  1. Add the certificate to the system store (git will read this) - e.g /etc/ssl/certs/ca-certificates.crt
  2. Tell git to ignore ssl verficiation omnibus_gitconfig['system'] = { "http"=>["sslVerify = false"]}

Can we either

  1. Make the git client aware of the gitlab trusted certs
  2. Note in the documentation that certificates for mirror and clone operations need to be added to the system store