search

actions / checkout

Action for checking out a repo
https://github.com/features/actions
MIT License
5.93k stars 1.76k forks source link

Error: request to https://api.github.com/repos/xxxx/xxxxx failed, reason: unable to get local issuer certificate #1408

Open jdambly-ns opened 1 year ago

jdambly-ns commented 1 year ago

my self hosted runner is giving me the error

failed, reason: unable to get local issuer certificate

if I run the command manually inside the runner,

github@xxxxx:~$ curl -L -v   -H "Accept: application/vnd.github+json"    -H "Authorization: Bearer xxxxx"   -H "X-GitHub-Api-Version: 2022-11-28"    https://api.github.com/repos/xxxx/xxxx
*   Trying 10.149.193.153:443...
* TCP_NODELAY set
* Connected to api.github.com (10.149.193.153) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=Santa Clara; O=xxxx, Inc.; CN=xxxx; CN=api.github.com
*  start date: Jul  6 23:19:07 2023 GMT
*  expire date: Jul  6 23:19:07 2024 GMT
*  subjectAltName: host "api.github.com" matched cert's "api.github.com"
*  issuer: C=US; ST=California; L=Santa Clara; O=xxxxx, Inc.; CN=xxx
*  SSL certificate verify ok.
> GET /repos/xxxxx/xxxx HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.68.0
> Accept: application/vnd.github+json
> Authorization: Bearer xxxxx
> X-GitHub-Api-Version: 2022-11-28
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK

I think I need to make the checkout/actions use the CA at /etc/ssl/certs/ca-certificates.crt, is there an option to configure this?

FreyGeospatial commented 7 months ago

did you find out a solution?

xgt001 commented 2 days ago

Github seems to override Authorization Bearer token