Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

checkout@v2 failing on GHES actions beta with "failed, reason: self signed certificate in certificate chain" #362

Open
michaelfdickey opened this issue Oct 1, 2020 · 9 comments

Comments

@michaelfdickey
Copy link

Hello actions / checkout team 👋

We have a report of actions checkout@v2 failing in an actions enabled beta on GHES 2.22 with the following message:

failed, reason: self signed certificate in certificate chain

This is running a simple workflow which only runs actions checkout and a one line hello world script.

Thanks!

@ericsciple
Copy link
Contributor

@michaelfdickey can you ask the customer to run a workflow with step debugging enabled?

Wondering whether the error is coming from Git or the REST API.

Also wondering whether the required certificate authority chain is installed on runner machine? Curl is a good way to test.

@alichebel
Copy link

Hello Eric

After following this procedure below, curl command works but not the workflow.
https://docs.github.com/en/enterprise-server@2.22/admin/configuration/troubleshooting-ssl-errors#certificate-validity-errors
I still have the same issue.
Debug mode as requested step does not provide more details.

Please advise

@alichebel
Copy link

Hello Eric

I would like to clarify a point :
the workflow run successfully with git client properly configured with the root ca.
However the workflow failed with the GitHub REST API.

Regards

@ericsciple
Copy link
Contributor

Can you try setting the env var NODE_EXTRA_CA_CERTS to point to the full path of the file?

@ericsciple
Copy link
Contributor

Here's a list of instructions to help with self-signed certificates on GHES:

You will need to install the certificate on each runner machine.

For example, on Debian:

> host_or_ip=my-ghes.com

> openssl s_client -showcerts -connect $host_or_ip:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

> openssl x509 -in mycertfile.pem -inform PEM -out mycertfile.crt

> sudo mkdir /usr/share/ca-certificates/extra

> sudo cp mycertfile.crt /usr/share/ca-certificates/extra/

> sudo dpkg-reconfigure ca-certificates

> # The above command drops you into an in interactive prompt. You need to select the certificate file using <SPACEBAR>, and then press <ENTER> to complete the configuration

Also you need to set an environment variable for the runner process. For example:

NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt

Most actions are written in Javascript and run using Nodejs. And Nodejs doesn’t use the system certificate store.

@alichebel
Copy link

Hello Eric

It works :-) for windows and unix as well.
I guess it will be great if you can add a few sentences on your documentation

Thanks

@MartinLesterSynamedia
Copy link

I had started the runner on a machine as root (using RUNNER_ALLOW_RUNASROOT=1) and got this error when talking to our GHE server using self signed certs.

NODE_EXTRA_CA_CERTS is ignored when node runs as setuid root or has Linux file capabilities set.

The answer is create a local account - which is the right way but is easy to ignore when you "just want to get something working" (read: just being lazy!)

@acottre
Copy link

acottre commented Aug 4, 2022

Can NODE_EXTRA_CA_CERTS environment variable please be added to the documentation?

@Mayankm13
Copy link

n environment variable for the runner process.

@ericsciple Can you please let me know the step for centos?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants