soroushdes/meezi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: trust Nexus mirror CA in backend dotnet restore (fixes skipped deploys)

Browse Source 
The mirror's Let's Encrypt cert renewed under the new ISRG Root YR root,
which isn't in the dotnet SDK image's trust store. `dotnet restore` validates
TLS and fails (NU1301 / unable to get local issuer certificate), so both
backend CI jobs fail and the deploy is skipped. The npm jobs are unaffected
because they already pass --strict-ssl=false.

Pin the mirror's intermediate (CN=YR2, CA:TRUE, valid to Sept 2028) and add it
as a trust anchor before restore in:
- CI api-build + admin-api-build jobs (.gitea/workflows/ci-cd.yml)
- docker/api/Dockerfile + docker/admin-api/Dockerfile (deploy image builds)

Also set NUGET_CERT_REVOCATION_MODE=offline in the CI restore steps to avoid
CRL/OCSP fetches to lencr.org (filtered from Iran).

Permanent fix is server-side (re-chain to ISRG Root X1 or update trust stores);
this unblocks CI/deploys without depending on that.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-03 23:22:57 +03:30
parent 5078af2dd7
commit 9a27858125
4 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci-cd.yml
+18
View File
@@ -80,10 +80,20 @@ jobs:
</configuration>
EOF
- name: Trust Nexus mirror CA
# The mirror's Let's Encrypt cert renewed under the new ISRG Root YR, which is
# not yet in the SDK image's trust store. The npm jobs skip TLS via
# --strict-ssl=false; dotnet validates, so add the mirror's intermediate
# (CA:TRUE, valid to Sept 2028) as a trust anchor.
run: |
cp docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
update-ca-certificates
- name: Restore
run: dotnet restore src/Meezi.API/Meezi.API.csproj --configfile /tmp/nuget.ci.config
env:
DOTNET_CLI_TELEMETRY_OPTOUT: 1
NUGET_CERT_REVOCATION_MODE: offline
- name: Build
run: dotnet build src/Meezi.API/Meezi.API.csproj --no-restore -c Release
@@ -128,10 +138,18 @@ jobs:
</configuration>
EOF
- name: Trust Nexus mirror CA
# See api-build: trust the mirror's intermediate so dotnet restore validates
# the new ISRG Root YR chain (npm jobs sidestep this with --strict-ssl=false).
run: |
cp docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
update-ca-certificates
- name: Restore
run: dotnet restore src/Meezi.Admin.API/Meezi.Admin.API.csproj --configfile /tmp/nuget.ci.config
env:
DOTNET_CLI_TELEMETRY_OPTOUT: 1
NUGET_CERT_REVOCATION_MODE: offline
- name: Build
run: dotnet build src/Meezi.Admin.API/Meezi.Admin.API.csproj --no-restore -c Release