Renovate: Document Self-signed certificate handling

Created on 16 Nov 2018  路  8Comments  路  Source: renovatebot/renovate

What would you like Renovate to be able to do?
Add configuration option to ignore self-signed certificates of your GitLab instance.

Describe the solution you'd like
Add an --allowSelfSignedCerts option which ignores self-signed certificates of your GitLab instance.

good first issue priority-4-low docs
Source
picture Lechindianer

Most helpful comment

For documentation purposes: NODE_OPTIONS=--use-openssl-ca worked as solution.

picture Lechindianer on 19 Nov 2018
2 👍2

All 8 comments

This is node.js doing the rejections rather than really Renovate. What if you set NODE_TLS_REJECT_UNAUTHORIZED=0 in env before running Renovate?

Note: ignoring certs is not recommended in general though, we'd be better to add them

rarkins picture rarkins on 16 Nov 2018
👍1

If you trust a self-signed certificate, and you are on Windows, then you may want to consider NODE_EXTRA_CA_CERTS - https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

If you are on Linux or macOS, and the self-signed root certificate has been added to your OpenSSL cert store, then please consider setting NODE_OPTIONS=--use-openssl-ca - https://nodejs.org/api/cli.html#cli_node_options_options

Personally, I believe NODE_TLS_REJECT_UNAUTHORIZED should never be used, ever.

hutson picture hutson on 16 Nov 2018

Given that there are ways to achieve this "outside" Renovate, and ignoring certificates is generally not a good idea, I think I will leave this as an open documentation issue to be closed once we document and describe how to address self-signed certificates.

rarkins picture rarkins on 17 Nov 2018

For documentation purposes: NODE_OPTIONS=--use-openssl-ca worked as solution.

Lechindianer picture Lechindianer on 19 Nov 2018
2 👍2

Is there any way to pass these environment variables and/or custom CA files (via additional mounts?) to Docker children when binarySource=docker?

r2bit picture r2bit on 11 Nov 2020

trustLevel=high will pass all env.

I'm not sure about mapping the files though.

rarkins picture rarkins on 12 Nov 2020

They don't get passed to our docker sidecar containers.

Best option is to extend the required images and self-host them. Then use dockerImagePrefix to point to the custom images

https://docs.renovatebot.com/self-hosted-configuration/#dockerimageprefix

You only would need to rebuild used images, check the debug logs to find them.

viceice picture viceice on 12 Nov 2020
👍1

Given that there are ways to achieve this "outside" Renovate, and ignoring certificates is generally not a good idea, I think I will leave this as an open documentation issue to be closed once we document and describe how to address self-signed certificates.

This issue is labeled as a good first issue, and a docs issue. So I thought I would take a look. 馃槃
However it's not really clear what I need to add to the docs to resolve this issue.

There's a section on GitLab authentication (via personal access token) in the Renovate self-hosting docs.
We do not mention self-signed certificates anywhere in the docs yet.

Can you maybe explain what changes we want to make to the docs? Or give a pointer to some outside docs that I can refer to?

HonkingGoose picture HonkingGoose on 12 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jycouet picture jycouet  路  4Comments
Siilwyn picture Siilwyn  路  4Comments
grzesuav picture grzesuav  路  3Comments
jeromelachaud picture jeromelachaud  路  3Comments
ZauberNerd picture ZauberNerd  路  4Comments