Custom CA certs lost during rcstack-based upgrade

benjunmun · September 3, 2025, 6:38pm

Today I upgraded from rhodecode from 5.5.3 to 5.7.0, following the rcstack documentation. After the upgrade, I started getting SSL errors for some of our outgoing hooks. We take advantage of a custom CA bundle for outbound traffic as per this documentation. I noticed that config/_shared/ca-bundle.crt had a modify date of today, despite having made no manual changes. It was also missing my internal CA certificate. After replacing the bundle again everything works as I expect it to. I believe I may have experienced this on previous upgrades as well, but I hadn’t collected data about it at the time. Everything is good as long as I remember to fix the certs, just letting you all know that this is potentially an issue.

andverb_rhodecode · October 10, 2025, 10:19am

thanks for feedback! We will update docs so implications are clear

ievgenii.v · October 31, 2025, 10:06am

Hi,
We attempted to reproduce this behavior in our environment but were unable to.
Could you please provide the following details?

rcstack version at the time of the update (i.e., the version before running ./rcstack self-update).
Please share the output of:
./rcstack -v
Exact update steps you executed, including any additional flags or parameters.
Whether you use any custom paths to CA bundles or Docker/Dockerfile configuration changes that differ from the defaults.

For reference, we tested the following sequences:
Run 1:
./rcstack self-update
./rcstack stack-upgrade all

Run 2:
./rcstack self-update
./rcstack stack-upgrade router
./rcstack stack-upgrade services
./rcstack stack-upgrade rhodecode
./rcstack stack-upgrade metrics

In both cases, the process did not modify any custom CA bundles.
Thank you, and we’ll investigate further once we have the requested information.

benjunmun · October 31, 2025, 4:05pm

I was able to reproduce it just now in a fresh environment. It appears that the trigger for me is actually running rcstack self-update, even before I do the stack upgrade.

Ubuntu 24.04.3 LTS
Docker CE: Docker version 28.5.1, build e180ab8

My reproduction is moving from rcstack 5.28.0 to 5.28.2. I’ll attach a full console log, but here are the relevant commands.

curl -L -s -o rcstack https://dls.rhodecode.com/get/v5.28.0 && chmod +x rcstack 

./rcstack init
# Answered all defaults except enable SSL/HTTPS : Yes
# This causes a version change to 5.28.2, set it back:
./rcstack self-update --force --cli-revision v5.28.0

# Start everything to a stable state
./rcstack stack all up -d


# Check bundle before customizing
md5sum config/_shared/ca-bundle.crt
#dfc257fbba1b4a6b76e7db3b5c695054  config/_shared/ca-bundle.crt

# Throw in the OS ca certificate bundle as my customization
cp /etc/ssl/certs/ca-certificates.crt config/_shared/ca-bundle.crt

# This shows the customized version
md5sum config/_shared/ca-bundle.crt
# c68163b1d7b41de1d8c37d40fa88a9ca  config/_shared/ca-bundle.cr


./rcstack self-update
# Answered yes to "Would you like to continue with setting RC_VERSION=5.8.1 over RC_VERSION=5.7."


# Right after this step, the bundle has been reverted!
md5sum config/_shared/ca-bundle.crt
# dfc257fbba1b4a6b76e7db3b5c695054  config/_shared/ca-bundle.crt

rhodecode_upgrade_log.txt (11.1 KB)