ci: trust Nexus mirror CA in backend dotnet restore (fixes skipped deploys)
The mirror's Let's Encrypt cert renewed under the new ISRG Root YR root, which isn't in the dotnet SDK image's trust store. `dotnet restore` validates TLS and fails (NU1301 / unable to get local issuer certificate), so both backend CI jobs fail and the deploy is skipped. The npm jobs are unaffected because they already pass --strict-ssl=false. Pin the mirror's intermediate (CN=YR2, CA:TRUE, valid to Sept 2028) and add it as a trust anchor before restore in: - CI api-build + admin-api-build jobs (.gitea/workflows/ci-cd.yml) - docker/api/Dockerfile + docker/admin-api/Dockerfile (deploy image builds) Also set NUGET_CERT_REVOCATION_MODE=offline in the CI restore steps to avoid CRL/OCSP fetches to lencr.org (filtered from Iran). Permanent fix is server-side (re-chain to ISRG Root X1 or update trust stores); this unblocks CI/deploys without depending on that. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -8,6 +8,12 @@ COPY global.json Directory.Build.props Directory.Packages.props ./
|
||||
# nuget.docker.config points to Nexus mirror (mirror.soroushasadi.com)
|
||||
COPY nuget.docker.config ./nuget.config
|
||||
|
||||
# Trust the Nexus mirror's TLS CA: its Let's Encrypt cert renewed under the new
|
||||
# ISRG Root YR, which isn't in the SDK image's trust store yet. Add the mirror's
|
||||
# intermediate (CA:TRUE, valid to Sept 2028) as an anchor so dotnet restore validates.
|
||||
COPY docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
|
||||
RUN update-ca-certificates
|
||||
|
||||
COPY src/Meezi.Shared/Meezi.Shared.csproj src/Meezi.Shared/
|
||||
COPY src/Meezi.Core/Meezi.Core.csproj src/Meezi.Core/
|
||||
COPY src/Meezi.Infrastructure/Meezi.Infrastructure.csproj src/Meezi.Infrastructure/
|
||||
|
||||
Reference in New Issue
Block a user