soroush.asadi
1db8a8f08c
CI/CD / CI · API (dotnet build + test) (push) Failing after 3m35s
CI/CD / CI · Admin API (dotnet build) (push) Failing after 6m23s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m6s
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
CI/CD / CI · Website (tsc) (push) Successful in 44s
CI/CD / CI · Koja (tsc) (push) Successful in 49s
CI/CD / Deploy · all services (push) Has been skipped
The prior Trust step added only the YR2 intermediate to the OS trust store. dotnet's X.509 chain builder requires a self-signed ROOT as the trust anchor (it does not enable OpenSSL's X509_V_FLAG_PARTIAL_CHAIN), so intermediate-only still caused PartialChain. New approach (two jobs: api-build, admin-api-build): 1. curl http://yr.i.lencr.org/ (plain HTTP AIA) → ISRG Root YR DER → convert to PEM → add to /usr/local/share/ca-certificates/ 2. cp YR2 intermediate (docker/nexus-mirror-ca.crt) → same dir 3. update-ca-certificates (OS method) 4. cat both certs >> /etc/ssl/certs/ca-certificates.crt (belt-and-suspenders: directly appends to the OpenSSL bundle dotnet reads on Linux, works even if step 3 is a no-op) If the AIA fetch fails (network block) step 4 still appends the intermediate, which may work if dotnet ever enables partial chains. Fetch failure is non-fatal (echo warning + continue). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>