build-push-action icon indicating copy to clipboard operation
build-push-action copied to clipboard
verified publisher icon docker

Self-signed certificates do not work

Open 53845714nF opened this issue 1 year ago • 2 comments

Contributing guidelines

I've found a bug, and:

  • [X] The documentation does not mention anything about my problem
  • [X] There are no open or closed issues that are related to my problem

Description

I have set up a self-signed Docker registry. On my act runner for Gitea, the CA (Certificate Authority) is configured for the container using the following options:

options: --mount type=bind,source=/home/rar/CA.pem,target=/etc/ssl/certs/ca-certificates.crt,readonly

I have attempted various approaches to create the CA within the Action, but none have been successful. I also tried using the docker/setup-buildx-action, but it didn't resolve the issue either. I've been unable to find documentation on how to configure self-signed certificates in this context. Any assistance would be greatly appreciated."

Expected behaviour

Upload the image to my registry.

Actual behaviour

I get this Error tls: failed to verify certificate: x509: certificate signed by unknown authority

Repository URL

No response

Workflow run URL

No response

YAML workflow

name: Docker Image for Image Frontend

on:
  push:
    branches:
      - main

env:
  REGISTRY: https://git.fritz.box
  IMAGE_NAME: frontend

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
  
    steps:
      - name: Checkout
        uses: https://github.com/actions/checkout@v4
      - name: Set up Docker Buildx
        uses: https://github.com/docker/setup-buildx-action@v3
        with:
          driver-opts: network=host
          config-inline: |
             [registries.insecure]
              "git.fritz.box" = true                               
      - name: Build and push Docker image
        uses: https://github.com/docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: "git.fritz.box/${{ env.IMAGE_NAME }}:latest"

Workflow logs

ERROR: failed to solve: failed to push git.fritz.box/frontend:latest: failed to do request: Head "https://git.fritz.box/v2/frontend/blobs/sha256:c926b61bad3b94ae7351bafd0c184c159ebf0643b085f7ef1d47ecdc7316833c": tls: failed to verify certificate: x509: certificate signed by unknown authority

BuildKit logs

No response

Additional info

No response

53845714nF avatar Jan 13 '24 23:01 53845714nF 

          config-inline: |
             [registries.insecure]
              "git.fritz.box" = true

BuildKit config does not look correct, see https://docs.docker.com/build/buildkit/configure/#setting-registry-certificates and https://docs.docker.com/build/buildkit/toml-configuration/ for more info.

crazy-max avatar Jan 17 '24 10:01 crazy-max

I have change my action to:

steps:
      - name: Checkout
        uses: https://github.com/actions/checkout@v4
      - name: Set up Docker Buildx
        uses: https://github.com/docker/setup-buildx-action@v3
        with:
          driver-opts: network=host
          config-inline: |
             debug = true
             [registry."git.fritz.box"]
              ca=["/etc/ssl/certs/rootCA.pem"]

And my act_runner config to:

container:
  # Specifies the network to which the container will connect.
  # Could be host, bridge or the name of a custom network.
  # If it's empty, act_runner will create a network automatically.
  network: ""
  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
  privileged: false
  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
  options: --mount type=bind,source=/etc/ssl/certs/,target=/etc/ssl/certs/,readonly --mount type=bind,source=/home/rar/gittea.crt,target=/etc/my_certs/gittea.crt,readonly --mount type=bind,source=/home/rar/gittea.key,target=/etc/my_certs/gittea.key,readonly
  valid_volumes:
    - '**'

I think I've made a little progress but i get this 401 error:

failed with: ERROR: failed to solve: failed to push git.fritz.box/frontend:latest: unexpected status from HEAD request to https://git.fritz.box/v2/frontend/blobs/sha256:18fbd407def3017149f5c4ed3ec8777724268e7bcfbd376021df40e27d5be4e1: 401 Unauthorized

53845714nF avatar Jan 20 '24 13:01 53845714nF

I realised that the current error has more to do with the login.

I try to add:

- name: Login to Registry
   uses: https://github.com/docker/login-action@v3
    with:
      registry: git.fritz.box
       username: ${{ secrets.USERNAME }}
       password: ${{ secrets.PASSWORD }}

But I get this: ::error::Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.

Can't trace this because he also uses the docker to build.

53845714nF avatar Feb 25 '24 13:02 53845714nF

And my act_runner config to:

But I get this: ::error::Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.

Looks like an issue with act. Suggest to open an issue there: https://github.com/nektos/act

If you repro on official GitHub runners, please post a repro and debug logs. Closing in the meantime.

crazy-max avatar Feb 28 '24 15:02 crazy-max