ArgoCD playground - Gitea certificate expired - please renew

dkry24 · July 11, 2024, 5:30am

This prevents some things ( examples ) from working.
controlplane ~ ➜ openssl x509 -text -noout -in /var/lib/gitea/custom/cert.pem
…
Validity
Not Before: Jun 8 15:02:14 2023 GMT
Not After : Jun 7 15:02:14 2024 GMT

I reported this in the post-lab feedback many days ago.
How do we get this fixed ?

rob_kodekloud · July 11, 2024, 5:55am

I assume you mean here: ArgoCD Playground | KodeKloud

If so, is this what you’re talking about:

controlplane sample-config on  master ➜  git remote -v
origin  https://bob:[email protected]/bob/sample-config.git (fetch)
origin  https://bob:[email protected]/bob/sample-config.git (push)

controlplane sample-config on  master ➜  git pull origin master
fatal: unable to access 'https://git.example.com/bob/sample-config.git/': server certificate verification failed. CAfile: none CRLfile: none

That would be a problem. I’ll report it to the lab team.

dkry24 · July 11, 2024, 5:57am

That’s exactly it - when using Gitea for examples, it fails like that.
I could try to hack around it, but I think it would be better for everyone to have a healthier setup that’s ready to go.
Thanks !

Alistair_KodeKloud · July 11, 2024, 6:19am

We are always open to student’s suggestions for hacks that work! It’s good practice for you

But Rob will have raised a ticket for it to be fixed properly.

dkry24 · July 11, 2024, 12:52pm

Thanks !

We are always open to student’s suggestions for hacks that work! It’s good practice for you

On that idea, tried out some myself -

turns out, this is a self-signed cert, and there’s “gitea cert --host git.example.com” command that produces the same kind of cert
also found that it was added to /etc/ssl/certs/ca-certificates.crt - replaced it with the new one.
Still, something doesn’t work out or works out partially - gitea presents new cert, yet systemctl restart gitea takes a long time and apparently fails… not sure.
If team is willing to share the missing sauce, that would be welcome too.

p.s. Some combination of this worked on retry - also did openssl rehash, added .gitconfig with [http] sslCAinfo = /etc/ssl/certs/ca-certificates.crt, replaced the cert in ArgoCD, pushed - sample deployment worked.
So, kinda working.
Unknown why systemctl restart gitea gets stuck and fails… but, it works, so it’s not strictly essential.

Tej-Singh-Rana · July 11, 2024, 3:31pm

Hi @dkry24,

Thanks for highlighting this issue. Our lab engineers are working on this. I’ll update you once they push the fixes to lab.

Regards,

rob_kodekloud · July 11, 2024, 7:41pm

…and it’s now fixed!

dkry24 · July 11, 2024, 11:30pm

Thank you so much, everyone !
Confirmed - cert is renewed, and the repo is accepted by ArgoCD.
Learning of how this cert setup works has occurred too, and now one can go straight to the exercises !
( Which I intend to do next )