checkout@v2 failing on GHES actions beta with "failed, reason: self signed certificate in certificate chain"

[michaelfdickey]

Hello actions / checkout team 👋

We have a report of actions checkout@v2 failing in an actions enabled beta on GHES 2.22 with the following message:

failed, reason: self signed certificate in certificate chain

This is running a simple workflow which only runs actions checkout and a one line hello world script.

Thanks!

[ericsciple]

@michaelfdickey can you ask the customer to run a workflow with step debugging enabled?

Wondering whether the error is coming from Git or the REST API.

Also wondering whether the required certificate authority chain is installed on runner machine? Curl is a good way to test.

[alichebel]

Hello Eric

After following this procedure below, curl command works but not the workflow.
https://docs.github.com/en/enterprise-server@2.22/admin/configuration/troubleshooting-ssl-errors#certificate-validity-errors
I still have the same issue.
Debug mode as requested step does not provide more details.

Please advise

[alichebel]

Hello Eric

I would like to clarify a point :
the workflow run successfully with git client properly configured with the root ca.
However the workflow failed with the GitHub REST API.

Regards

[ericsciple]

Can you try setting the env var NODE_EXTRA_CA_CERTS to point to the full path of the file?

[ericsciple]

Here's a list of instructions to help with self-signed certificates on GHES:

You will need to install the certificate on each runner machine.

For example, on Debian:

> host_or_ip=my-ghes.com

> openssl s_client -showcerts -connect $host_or_ip:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

> openssl x509 -in mycertfile.pem -inform PEM -out mycertfile.crt

> sudo mkdir /usr/share/ca-certificates/extra

> sudo cp mycertfile.crt /usr/share/ca-certificates/extra/

> sudo dpkg-reconfigure ca-certificates

> # The above command drops you into an in interactive prompt. You need to select the certificate file using <SPACEBAR>, and then press <ENTER> to complete the configuration

Also you need to set an environment variable for the runner process. For example:

NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt

Most actions are written in Javascript and run using Nodejs. And Nodejs doesn’t use the system certificate store.

[alichebel]

Hello Eric

It works :-) for windows and unix as well.
I guess it will be great if you can add a few sentences on your documentation

Thanks

[MartinLesterSynamedia]

I had started the runner on a machine as root (using RUNNER_ALLOW_RUNASROOT=1) and got this error when talking to our GHE server using self signed certs.

NODE_EXTRA_CA_CERTS is ignored when node runs as setuid root or has Linux file capabilities set.

The answer is create a local account - which is the right way but is easy to ignore when you "just want to get something working" (read: just being lazy!)

[acottre]

Can NODE_EXTRA_CA_CERTS environment variable please be added to the documentation?

[Mayankm13]

n environment variable for the runner process.

@ericsciple Can you please let me know the step for centos?