[Add Forge Now] process https://git.cloudsolutions.com.sa

https://archive.softwareheritage.org/admin/add-forge/request/436/
Type: gitea

changed milestone to %Extend archive coverage [Roadmap - Collect]

added AddForgeNow label

Request completly messed up in staging environment.
For the pipeline details, see:
https://gitlab.softwareheritage.org/swh/infra/add-forge-now-requests/-/pipelines/7750.

The job 02_check_ports_and_token failed: there's a TLS certificate issue.

~ ᐅ curl -I https://git.cloudsolutions.com.sa                                                              
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
~ ᐅ openssl s_client -connect git.cloudsolutions.com.sa:443 < /dev/null 2> /dev/null | awk '/Verification/'
Verification error: unable to verify the first certificate

On a local environment:

swh@d2c83919e890:~$ swh scheduler -C $SWH_CONFIG_FILENAME \
  add-forge-now --preset staging \
    register-lister gitea \
      instance=git.cloudsolutions.com.sa
Created 1 tasks

Task 10
  Next run: today (2024-03-20T13:19:05.488063+00:00)
  Interval: 90 days, 0:00:00
  Type: list-gitea-full
  Policy: oneshot
  Args:
  Keyword args:
    enable_origins: False
    instance: 'git.cloudsolutions.com.sa'
    max_origins_per_page: 5
    max_pages: 2

swh-lister-1  | [2024-03-20 13:19:11,736: INFO/MainProcess] Task swh.lister.gitea.tasks.FullGiteaRelister[4938ae67-ba27-44b7-b266-2270d5d99f74] received
swh-lister-1  | [2024-03-20 13:19:11,737: DEBUG/ForkPoolWorker-2] Loading config file /srv/softwareheritage/config.yml
swh-lister-1  | [2024-03-20 13:19:11,745: WARNING/ForkPoolWorker-2] No authentication token set in configuration, using anonymous mode
swh-lister-1  | [2024-03-20 13:19:11,745: DEBUG/ForkPoolWorker-2] Fetching URL https://git.cloudsolutions.com.sa/api/v1/repos/search with params {'limit': 50, 'page': 1}
swh-lister-1  | [2024-03-20 13:19:11,745: DEBUG/ForkPoolWorker-2] Fetching URL https://git.cloudsolutions.com.sa/api/v1/repos/search with params {'limit': 50, 'page': 1}
swh-lister-1  | [2024-03-20 13:19:11,951: WARNING/ForkPoolWorker-2] Retrying swh.lister.pattern.Lister.http_request in 1.0 seconds as it raised SSLError: HTTPSConnectionPool(host='git.cloudsolutions.com.sa', port=443): Max retries exceeded with url: /api/v1/repos/search?limit=50&page=1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)'))).
swh-lister-1  | [2024-03-20 13:19:12,952: DEBUG/ForkPoolWorker-2] Fetching URL https://git.cloudsolutions.com.sa/api/v1/repos/search with params {'limit': 50, 'page': 1}

Works in a Firefox browser profile with cached certs, but not in a fresh Firefox browser profile and not in curl/openssl indeed. Looks like TLS AIA (swh/meta#5086) or disabling TLS verification (swh/meta#5077) would fix it though:

$ openssl s_client -connect git.cloudsolutions.com.sa:443 < /dev/null 2> /dev/null | openssl x509 -in /dev/stdin -text | grep -A3 "Authority Information Access"
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
            X509v3 Basic Constraints: critical