checkout icon indicating copy to clipboard operation
checkout copied to clipboard
verified publisher icon actions

checkout@v2 failing on GHES actions beta with "failed, reason: self signed certificate in certificate chain"

Open michaelfdickey opened this issue 5 years ago • 8 comments

Hello actions / checkout team :wave:

We have a report of actions checkout@v2 failing in an actions enabled beta on GHES 2.22 with the following message:

failed, reason: self signed certificate in certificate chain

This is running a simple workflow which only runs actions checkout and a one line hello world script.

Thanks!

michaelfdickey avatar Oct 01 '20 21:10 michaelfdickey

@michaelfdickey can you ask the customer to run a workflow with step debugging enabled?

Wondering whether the error is coming from Git or the REST API.

Also wondering whether the required certificate authority chain is installed on runner machine? Curl is a good way to test.

ericsciple avatar Oct 05 '20 18:10 ericsciple

Hello Eric

After following this procedure below, curl command works but not the workflow. https://docs.github.com/en/[email protected]/admin/configuration/troubleshooting-ssl-errors#certificate-validity-errors I still have the same issue. Debug mode as requested step does not provide more details.

Please advise

alichebel avatar Oct 06 '20 15:10 alichebel

Hello Eric

I would like to clarify a point : the workflow run successfully with git client properly configured with the root ca. However the workflow failed with the GitHub REST API.

Regards

alichebel avatar Oct 08 '20 14:10 alichebel

Can you try setting the env var NODE_EXTRA_CA_CERTS to point to the full path of the file?

ericsciple avatar Oct 08 '20 16:10 ericsciple

Here's a list of instructions to help with self-signed certificates on GHES:

You will need to install the certificate on each runner machine.

For example, on Debian:

> host_or_ip=my-ghes.com

> openssl s_client -showcerts -connect $host_or_ip:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

> openssl x509 -in mycertfile.pem -inform PEM -out mycertfile.crt

> sudo mkdir /usr/share/ca-certificates/extra

> sudo cp mycertfile.crt /usr/share/ca-certificates/extra/

> sudo dpkg-reconfigure ca-certificates

> # The above command drops you into an in interactive prompt. You need to select the certificate file using <SPACEBAR>, and then press <ENTER> to complete the configuration

Also you need to set an environment variable for the runner process. For example:

NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt

Most actions are written in Javascript and run using Nodejs. And Nodejs doesn’t use the system certificate store.

ericsciple avatar Oct 09 '20 04:10 ericsciple

Hello Eric

It works :-) for windows and unix as well. I guess it will be great if you can add a few sentences on your documentation

Thanks

alichebel avatar Oct 09 '20 07:10 alichebel

I had started the runner on a machine as root (using RUNNER_ALLOW_RUNASROOT=1) and got this error when talking to our GHE server using self signed certs.

NODE_EXTRA_CA_CERTS is ignored when node runs as setuid root or has Linux file capabilities set.

The answer is create a local account - which is the right way but is easy to ignore when you "just want to get something working" (read: just being lazy!)

MartinLesterSynamedia avatar Apr 08 '21 12:04 MartinLesterSynamedia

Can NODE_EXTRA_CA_CERTS environment variable please be added to the documentation?

acottre avatar Aug 04 '22 18:08 acottre

n environment variable for the runner process.

@ericsciple Can you please let me know the step for centos?

Mayankm13 avatar Nov 01 '22 22:11 Mayankm13