noschvie's picture

Hello

have running a TurnKey gitea appliance at my local network.

How can I solve this error ? Thanks!

git clone https://gitea.<my domain>/noschvie/Liechtenstein.git

SSL: certificate subject name (gitea) does not match target host name 'gitea.<my domain>'

tried this, but didn't solve it:

openssl s_client -showcerts -servername gitea.<my domain> -connect gitea.<my domain>:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > gitea-<my domain>.pem

cat gitea-<my domain>.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
Forum: 
Jeremy Davis's picture

Three options that I can think of:

  • Get a "proper" cert.
  • Set up your own CA.
  • Just use http.

"Proper" certificate

If your server is available publicly, then the best way to fix this issue would be to use our built in Confconsole tool. That has a Let's Encrypt integration (Let's Encrypt provide free TLS/SSL certs. That will get you a "proper" CA signed certificate which should "just work".


Set up your own CA

If that's not an option and/or you don't want your server publicly available, then you'll need to create your own CA (certificate authority). All of your clients will also need to have the associated CA cert imported. A quick google turned up quite a few tutorials (e.g. here's one and here's another. I haven't tested them, but on face value they look reasonable.

We do have a tool for generating TLS/SSL certs, which would allow you to generate a that does include your domain and can also generate a CSR (certificate signing request; which you then need to sign with your CA private key). Our tool is called 'turnkey-make-ssl-cert'. Unfortuantely, I'm not super familiar with it, nor am I an expert with TLS/SSL certs, so I'm not going to offer any advice there, but it's help output might help?

turnkey-make-ssl-cert --help

Having said that, it might just be easier to follow the instructions in one of those tutorials (and use openssl directly)!?

Regardless, once you have generated your new certs, then be sure that the certs are loaded by Nginx (the webserver used in the Gitea appliance). The paths can be found in /etc/nginx/include/ssl. Once that's set up, then restart Nginx:

systemctl restart nginx

Just use plain http

If you are running it within your local network, then the super easy workaround is to just use vanilla http URLs. I.e. just drop the 's' like this

git clone http://gitea./noschvie/Liechtenstein.git

Add new comment