Skip to main content

Using a private certificate authority

GitGuardian supports connections to external services that use a non-public certificate authority.

It may be required to force the trusted certificates to a non-default value to properly establish connections to services such as your VCS or webhooks.

Requirements#

  • One or more certificates to establish a chain of trust to the integrations you use.
  • c_rehash from openssl
# On CentOS/RHELyum install openssl-perl
# On Debian/Ubuntuapt-get install openssl

How to#

  1. Create the $HOME/gitguardian/trusted-certs directory. Write all certificates in PEM format, one certificate per file in it.
$ tree $HOME/gitguardian/trusted-certs/home/centos/gitguardian/trusted-certs├── my-other-ca.pem└── my-private-ca.pem
0 directories, 2 files
  1. Prepare the directory for openssl to consume using c_rehash.
$ c_rehash $HOME/gitguardian/trusted-certsDoing /home/centos/gitguardian/trusted-certs
$ tree $HOME/gitguardian/trusted-certs/home/centos/gitguardian/trusted-certs├── 4dfd5795.0 -> my-private-ca.pem├── da4e607d.0 -> my-other-ca.pem├── my-other-ca.pem└── my-private-ca.pem
0 directories, 4 files
  1. Ensure GitGuardian has enough permissions to read these files.
$ chmod a+rX $HOME/gitguardian/trusted-certs
  1. Configure GitGuardian to use these certificates.
# Edit $HOME/gitguardian/docker-compose.override.ymlversion: "3.8"
x-ca: &ca  environment:    - REQUESTS_CA_BUNDLE=/etc/ssl/trusted-certs    - GIT_SSL_CAPATH=/etc/ssl/trusted-certs  volumes:    - ${GG_ROOT}/trusted-certs:/etc/ssl/trusted-certs:ro
services:  django:    <<: *ca  worker:    <<: *ca  email:    <<: *ca  long_tasks:    <<: *ca  beat:    <<: *ca
  1. Restart the application.
./manage.sh reload