Hello,
we have a Gitlab server running using self-signed certificates. We want to use this server as an OAuth2 provider for a Taiga installation. However, when trying to login via Gitlab, the taiga-backend reports an error (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’))). Is there an easy way to explicitly use a cert loaded from file to verify the Gitlab server authenticity?
For the records: We found a workaround by modifying the backend and especially the gitlab authenticator. This script clones the repo, does the modifications needed and builds the image. When trying to use the same approach, please note that we’re using Podman instead of Docker.
#!/bin/bash
rm -rdf taiga-back/ taiga-contrib-gitlab-auth/
git clone https://github.com/taigaio/taiga-back.git
cd taiga-back
git checkout stable
git pull
cd ..
git clone https://github.com/taigaio/taiga-contrib-gitlab-auth.git
cd taiga-contrib-gitlab-auth
git checkout stable
git pull
cd ..
sed -i -e "s;git+https://github.com/taigaio/taiga-contrib-gitlab-auth.git@6.8.0#egg=taiga-contrib-gitlab-auth-official&subdirectory=back;file:///taiga-back/taiga-contrib-gitlab-auth/back/;g" ./taiga-back/requirements-contribs.in
sed -i -e "s;git+https://github.com/taigaio/taiga-contrib-gitlab-auth.git@6.8.0#subdirectory=back;file:///taiga-back/taiga-contrib-gitlab-auth/back/;g" ./taiga-back/requirements-contribs.txt
sed -i -e "s%requests.get(url, headers=headers)%requests.get(url, headers=headers, verify='/trusted/gitlab_root_cert.pem')%g" taiga-contrib-gitlab-auth/back/taiga_contrib_gitlab_auth/connector.py
sed -i -e "s%requests.post(url, params=params, headers=headers)%requests.post(url, params=params, headers=headers, verify='/trusted/gitlab_root_cert.pem')%g" taiga-contrib-gitlab-auth/back/taiga_contrib_gitlab_auth/connector.py
sed -i -e "s%rm -rf /var/lib/apt/lists/\*;%rm -rdf /var/lib/apt/lists/* /taiga-back/taiga-contrib-gitlab-auth;%g" ./taiga-back/docker/Dockerfile
mkdir -p taiga-back/taiga-contrib-gitlab-auth/
cp -r taiga-contrib-gitlab-auth/* taiga-back/taiga-contrib-gitlab-auth/
podman rmi -f docker.io/taigaio/taiga-back
cd taiga-back
podman build --no-cache -f docker/Dockerfile -t docker.io/taigaio/taiga-back:latest .
The script modifies the authentication code in a way that it reads the CA certificate at /trusted/gitlab_root_cert.pem and uses it to authenticate the GitLab self hosted server. So when installing Taiga with the 30min guide, first run this script to generate the taiga-back container image. Then, run the normal setup. In docker-compose.yml, you should then mount a volume to the backend in the location /trusted/. Then, you can add your certificate into the linked folder:
# in docker-compose.yml:
x-volumes:
&default-back-volumes
# These volumens will be used by taiga-back and taiga-async.
- taiga-static-data:/taiga-back/static
- taiga-media-data:/taiga-back/media
- ./trusted/:/trusted # this is the relevant line!
So now, in taiga-docker/trusted/, you can add the certificate.
Please be aware of the fact that this is a fiddly workaround, not a proper solution! If you don’t know, what you’re doing this is also potentially risky.
Thank you to all the contributors of Taiga. This is a really great tool overall 
