I’m also having the same problems with ca certs, and have just burnt 4 hours trying to get the F thing working.
I run my own Root CA + Intermediate for homelab purposes. Gitea is behind traefik providing the HTTPS endpoint.
On my synology NAS, using a gitea action runner works perfectly - the CA certs pass through to all of the containers.
Running Ubuntu on a different machine, and i can curl the endpoint no problems on the host (cert is in the trust store) but the containers all fail on the git clone step.
I also have insecure: true in my config.yaml
This appears to be a sore spot for sure.