Allowing OneDev to ignore TLS issues implies a major security issue. Why not use LetsEncrypt in this case?

It's internal installation and all other services are already deployed with PKI provided by internal CA. Also, cert-manager breaks a lot on Kubernetes.

I hit into the same issue but when setting up LDAP connection which is an internal service connected by docker and I want to ignore TLS verification but then provide my custom domain to verify cert against.

Here is an example how authelia does this and it works for me. I would like to have similar options for LDAP configurations in onedev. https://www.authelia.com/configuration/first-factor/ldap/

authentication_backend:
  ldap:
    implementation: custom
    url: ldaps://10.10.10.10
    timeout: 5s
    start_tls: false
    tls:
      server_name: ldap.example.com
      skip_verify: false
      minimum_version: TLS1.2
      maximum_version: TLS1.3

+1 for inserting custom SSL certificates. For Helm, I like the GitLab Runner approach: https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/v0.49.0/values.yaml#L83

Essentially, they can be added to the Java trust store (or maybe the Ubuntu way: /usr/local/share/ca-certificates).

Update: Tried it the Ubuntu way, didn't work. So it has to be done at the application/JVM (executor) level itself.

@thetredev Have you called update-ca-certificates? This will update /etc/ssl/ and only then it might work.

I did. I also updated the Java keystore in the container to no avail.

I think Java reads cacerts on start and do not updated it, so you might restart Onedev with cacerts updated. I tried it this way and it worked:

Dockerfile:

FROM 1dev/server AS build
# Put your certs in a directory `certs` under current directory...
COPY certs /usr/local/share/ca-certificates
RUN update-ca-certificates

FROM scratch AS export
COPY --from=build /etc/ssl/certs/java/cacerts .

Then:

docker build --output=. .

Then, mount ./cacerts in /etc/ssl/certs/java/cacerts... Like: docker run -v $PWD/cacerts:/etc/ssl/certs/java/cacerts:ro or in compose:

services:
  onedev:
    image: 1dev/server:latest
    volumes:
    - "./cacerts:/etc/ssl/certs/java/cacerts:ro"

Thanks, I didn't know about how Java handles that stuff. Gotta try this at home later today!

Just a heads up: --output required buildkit, so either enable buildkit or use docker buildx build...

I tried it and it worked. With Docker Compose it feels right at home actually. But using Kubernetes it's janky, because the Chart values don't have an option for additional mounts. I modified the deployment myself but that's a hack I'm not sure I want to live with. :)

@robin are there any plans for something like extraVolumeMounts and extraVolumes by any chance? That way we could work around that in a more sophisticated manner.

@thetredev will add this improvement in a future release.

@robin very cool, thank you!

State changed as code fixing the issue is committed

Sorry to comment on the closed issue, but I can't seem to find the option. Where do I find documentation to trust my own CA? Thanks!

The fix will be delivered in 8.0.0 which will be released mid this month.

Aahh okay cool.

State changed as build #3440 is successful

Please follow below guide on how to trust self-signed CA/certificates:

https://docs.onedev.io/administration-guide/trust-self-signed-certificates

Very nice, thank you very much! I'll test this later today.