Augment system cert pool instead of replacing it

thardeck · thardeck · commit a8b2fc56d80f · 2026-03-19T21:34:51.000+01:00
When a CA bundle is provided, use x509.SystemCertPool() as the base and
append the custom certificates to it. Previously x509.NewCertPool() was
used, which created an empty pool containing only the custom CA. This
caused TLS verification to fail for public HTTPS endpoints (e.g. GitHub)
when the gitjob was configured with a Rancher CA bundle, because the
required public root CA was not in the pool.

The fix matches go-git's own transportWithCABundle behavior.
diff --git a/internal/bundlereader/gitclone.go b/internal/bundlereader/gitclone.go
@@ -66,7 +66,10 @@ func gitDownload(ctx context.Context, dst, rawURL string, auth Auth) error {
 			httpsProtocolMu.Lock()
 			defer httpsProtocolMu.Unlock()
 
-			certPool := x509.NewCertPool()
+			certPool, certPoolErr := x509.SystemCertPool()
+			if certPoolErr != nil {
+				certPool = x509.NewCertPool()
+			}
 			if ok := certPool.AppendCertsFromPEM(auth.CABundle); !ok && !auth.InsecureSkipVerify {
 				return errors.New("CA bundle contains no valid PEM certificates")
 			}
diff --git a/internal/cmd/cli/gitcloner/cloner.go b/internal/cmd/cli/gitcloner/cloner.go
@@ -41,10 +41,10 @@ var (
 // with a custom-CA override.
 var caCloneMutex sync.RWMutex
 
-// withExclusiveCA installs a custom HTTPS transport that trusts only caBundle
-// (not the system cert pool) for the duration of fn, then restores the default.
-// The mutex is only taken for HTTPS URLs because only go-git's HTTPS protocol
-// registry is affected; SSH and other scheme clones can proceed concurrently.
+// withExclusiveCA installs a custom HTTPS transport that augments the system cert pool
+// with caBundle for the duration of fn, then restores the default. The mutex is only
+// taken for HTTPS URLs because only go-git's HTTPS protocol registry is affected; SSH
+// and other scheme clones can proceed concurrently.
 func withExclusiveCA(repoURL string, caBundle []byte, insecureSkipTLS bool, fn func() error) error {
 	if !strings.HasPrefix(repoURL, "https://") {
 		// Non-HTTPS clone: no protocol registry mutation, no lock needed.
@@ -58,7 +58,10 @@ func withExclusiveCA(repoURL string, caBundle []byte, insecureSkipTLS bool, fn f
 	caCloneMutex.Lock()
 	defer caCloneMutex.Unlock()
 
-	certPool := x509.NewCertPool()
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		certPool = x509.NewCertPool()
+	}
 	if ok := certPool.AppendCertsFromPEM(caBundle); !ok && !insecureSkipTLS {
 		return errors.New("CA bundle contains no valid PEM certificates")
 	}
