Configuration of Outband traffic SSL Certificates

This section refers to required configuration of a custom ssl certificate bundle to allow outbound connection to a ourside service that is using a self-signed certificate. Typical a CI server is using an SSL certificate that is only trusted within an org, or is a self-signed one.

Enable custom ca bundle

By default the shared $PWD/config/_shared/ directory is mounted into rcstack, this contains the configuration shared files that rhodecode web app uses.

Inside the containers this path is mounted as /etc/rhodecode/conf/. This means that below configuration for custom SSL certificate bundle would require to put all your CA bundle data in a ca-bundle.crt.

rhodecode_base:

  environment:
    # ... other items here ...

    SSL_CERT_FILE: "/etc/rhodecode/conf/ca-bundle.crt"
    REQUESTS_CA_BUNDLE: "/etc/rhodecode/conf/ca-bundle.crt"
    GIT_SSL_CAINFO: "/etc/rhodecode/conf/ca-bundle.crt"

Place a file ca-bundle.crt inside config/_shared directory. The final output of that dir would look something like that.

e.g.

root@Ubuntu-2204 ~/rhodecode_docker # ls -la config/_shared/
total 644
drwxr-xr-x  6 lxd  docker   4096 Jun 13 20:24 .
drwxr-xr-x 14 root root     4096 Dec  6  2022 ..
-rw-r--r--  1 lxd  docker 505543 Aug  2 15:09 ca-bundle.crt
-rw-r--r--  1 lxd  docker    561 Nov  8  2022 channelstream.ini
-rw-r--r--  1 lxd  docker  16495 Jun  6 13:50 gunicorn_conf_rc.py
-rw-r--r--  1 lxd  docker  16478 Aug 10  2023 gunicorn_conf_vcs.py
-rw-r--r--  1 lxd  docker  26078 Jun 13 20:24 rhodecode.ini
drwxr-xr-x  2 lxd  docker   4096 May 31 07:52 ssh
drwxr-xr-x  2 lxd  docker   4096 Nov 25  2021 svn
-rw-r--r--  1 lxd  docker   4502 Aug  2  2023 vcsserver.ini

Then this file can act as a default certificates bundle for outbound traffic.