Can not clone zip project on Minikube

[RomanNikitenko]

Describe the bug

I get an error at importing a zip project on minikube.
The error is:

Couldn't import https://github.com/eclipse-theia/theia/archive/master.zip: curl: (60) SSL certificate problem: 
unable to get local issuer certificate 
More details here: https://curl.haxx.se/docs/sslcerts.html curl 
failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. 
To learn more about this situation and how to fix it, please visit the web page mentioned above.

Please see the screenshot below.

I'm not able to reproduce the bug using the same devfile on the dogfooding instance.

Che version

• latest
• nightly
• other: please specify

Steps to reproduce

Start a workspace from the following devfile on minikube.

Devfile

apiVersion: 1.0.0
metadata:
  name: test-import-zip
projects:
  - name: theia
    source:
      location: 'https://github.com/eclipse-theia/theia/archive/master.zip'
      type: zip
      branch: master
components:
  - id: eclipse/che-theia/next
    type: cheEditor

Expected behavior

Runtime

• kubernetes (include output of kubectl version)
• Openshift (include output of oc version)
• minikube

minikube version: v1.16.0
commit: 9f1e482427589ff8451c4723b6ba53bb9742fbb1

kubectl version: v1.20.1

• minishift (include output of minishift version and oc version)
• docker-desktop + K8S (include output of docker version and kubectl version)
• other: (please specify)

Screenshots

Installation method

• chectl
  chectl/0.0.20210220-next.92bf415 linux-x64 node-v12.20.2
• OperatorHub
• I don't know

Environment

• my computer
  • Windows
  • Linux
  • macOS
• Cloud
  • Amazon
  • Azure
  • GCE
  • other (please specify)
• other: please specify

Eclipse Che Logs

Additional context

[ericwill]

cc @vitaliy-guliy didn't you work on this recently? Could it be a regression?

[vitaliy-guliy]

cc @vitaliy-guliy didn't you work on this recently? Could it be a regression?

I don't think so.
The code, that downloading zip files is in workpace plugin, but it is not intersected with latest changes related to Git+SHS stuff.
I will take a look at it.

[vitaliy-guliy]

The problem is that curl does not take into account system certificates. It uses only generated /tmp/ca-bundle.crt
I'm trying to find a way how to configure curl to make custom certificate optional, but still have nothing.
There could be another solution - is to create a bundle that include system certificates. We can try to do this if nothing help.

[vitaliy-guliy]

There is an option --capath for curl.

Curl man page says

  The certificates must be in PEM format, and if curl is built against OpenSSL,
  the directory must have been processed using the c_rehash utility supplied with OpenSSL.

Having googled a bit and inspected my system I see, that this directory contains symlinks on the certificates and names of the links are in format {hash}.0. Where hash is hash sum, got by openssl x509 -hash -noout -in $file.
Each link is link on the certificate, not a bundle. I tried to create a link on a bundle, but openssl gives me hash of the first certificate. Other certificates in a bundle was not taken into account by curl.

So, here we have:

Option 1. First is to prepare a directory somewhere in /tmp and create links on all custom certificates we use. Please note, if we use bundles, we need to split them into single certificates.

Then it would be able to add --capath to curl and use this directory.

For this option we need to add openssl tool into che-theia container.

Option 2. Include all /etc/ssl/certs/*.0 files into /tmp/ca-bundle.crt and continue using curl with --cacert.

The second one is easier. Was tested, works fine. Bundle weight is around 217kb.

Update: Each system has a bundle with all the certificates.
Possible bundle location https://golang.org/src/crypto/x509/root_linux.go