git client struggling with new letsencrypt root certificate

[ableuler]

When trying to clone another renku project inside an interactive session through https, this currently fails with the following error:

$ git clone https://renkulab.io/gitlab/some.user/some-project.git
Cloning into 'some-project'...
fatal: unable to access 'https://renkulab.io/gitlab/some.user/some-project.git/': server certificate verification failed. CAfile: none CRLfile: none

While the new letsencrypt root certificate is present in the image under /etc/ssl/certs/ISRG_Root_X1.pem, the git https client does not find/respect/use that root certificate - presumably for some reasons about how git interacts with libcurl. Simply cURL-ing renkulab.io directly works.

However, upgrading cURL (and its dependencies) fixes the problem, so an easy way of fixing this for existing images is by adding the following lines to the projects Dockerfile:

USER root
RUN apt-get update && apt-get upgrade -y curl
USER ${NB_USER}

Later versions of the notebooks base image (such as jupyter/base-notebook:lab-3.2.1 or jupyter/base-notebook:lab-3.1.17) base image are built on top of ubuntu 20.04.03. These images do not suffer from this problem. The suggested proper fix for this issue is thus to upgrade to the jupyter/base-notebook:lab-3.2.1 base image.

--

ps: the reason why this isn't leading to catastrophic failures left and right is that the communication to the users "main" repo (the one from which the session is launched) is handled by the git-clone container and the git https proxy exclusively.

[rokroskar]

Has this been addressed somewhere @ableuler ?

[ableuler]

#197

[rokroskar]

😆