For several projects we use a combination between Gitea and Drone for our CI/CD pipelines. In those case Gitea and Drone are behind Traefik as an revers proxy, which is responsible to automatically renew Letsencrypt SSL certificates.
Lately Letsencrypt has change their root certificates. This is in general no problem because Traefik takes care of it and automatically renews the certificate.
In take case the problem was how Drone clones the git repository and it was not immediately clear, why we got the following error.
fatal: unable to access "https://gitea.example.com/project83/repo32.git/': SSL certificate proble,: certificate has expired“
The certificate of the Gitea was totaly fine and we had no issues to git clone manually.
The problem was: Drone runs the git clone command not in the drone agent it self but it spins up a separate docker container using drone/git as container image.
Drone it self has be updated frequently in the past in those environment. But some of those docker-host which runs Drone exists since age.
Drone is not using a docker pull before drone/git container is started. This means this container image is already many years old. This is also the reason why this container image does not know anything about the update root certificate of Letsencrypt.
So the fix for this error is quite easy. You have to run docker pull drone/git on the docker-host running Drone. The newly pulled container image has now all information about the new trusted root certificates from Letsencrypt and everything is fine again.