search

actions / runner-images

GitHub Actions runner images
MIT License
10.08k stars 3.04k forks source link

Ubuntu 22.04: Failing Due to No Alternative Certificate Subject #7936

Closed kamirendawkins closed 1 year ago

kamirendawkins commented 1 year ago

Description

We are starting to see failures across multiple actions that leverage ubuntu-latest that revolve around the following error:

curl: (60) SSL: no alternative certificate subject name matches target host name 'objects.githubusercontent.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Error: Process completed with exit code 60.

This appears to be related to https://github.com/actions/runner-images/pull/7924 which includes

curl 7.81.0-1ubuntu1.10

which appears to relate to https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028170

If this is a duplicate please feel free to close but I did not see an initial report at the time of writing.

Platforms affected

Runner images affected

Image version and build link

Runner Image: ubuntu-latest(Unsure of exact release target)

Is it regression?

ubuntu-20.04

Expected behavior

The SSL Certificate is correct, this appears to be a failure with curl that should not be failing.

Actual behavior

Curl indicates that the SAN is not provided while in reality it is.

Repro steps

  1. Use ubuntu-latest
  2. Check Logs, it is not 100% consistent which does appear to line up with the possibility that this release is still marked as rolling out per https://github.com/actions/runner-images#available-images
vpolikarpov-akvelon commented 1 year ago

Hey @kamirendawkins. Thank you for reporting, we will investigate it.

camargo commented 1 year ago

We are also seeing this in some of our runs. For example: https://github.com/NASA-AMMOS/aerie/actions/runs/5602136269/jobs/10248653761

kamirendawkins commented 1 year ago

When I had initially reported this I was concerned since the build of curl provided by the runners was a build behind where the initial bug was reported. Since then curl 7.81.0-1ubuntu1.13 was released with a fix and our builds appear to be working again which had us dive a little deeper and it would appear that deep within an action we called for an apt update + apt install curl which...pulled the bugged version.

This leads me to believe this was actually self induced due to not pinning versions(and even stampeding what is provided in the base image) and most likely not a problem with the runners base image itself.

I think this can probably be closed but leave that to the maintainers discretion.

PottsSG commented 1 year ago

Confirmed that the fix to Curl and the linked Ubuntu issue is being pulled now (only as of the the last hour or so) for us as well and the certificate issue appears to be resolved: azure-arm.build_vhd: Setting up curl (7.81.0-1ubuntu1.13)

vpolikarpov-akvelon commented 1 year ago

Looks like it's not a problem of image itself as it includes version 7.81.0-1ubuntu1.10 that is not buggy. Many pipelines were failing because they update curl in the runtime and occasionally pulled broken version. Anyway now curl is fixed so everything should be fine.

TDodgeCo commented 1 year ago

I'm also having this issue. Repo is set to private or I'd share. Here's my action file though:

# This GitHub Actions workflow is generated and deployed by https://cleavr.io
# The filename, cleavr_b8nuaqz7nt, of this workflow is tracked from within Cleavr,
# please don't change the name. Though, feel free to add your own steps or tweak
# the existing ones except anything listed below the warning message.
# Read more about Cleavr's GitHub Actions integration feature at: https://docs.cleavr.io/github-actions

name: Deploy mysubdomain.mydomain.com App with Cleavr
on:
  workflow_dispatch:
  push:
    branches:
      # This is the branch that gets deployed when a push is made to this repository.
      # If you change the default branch in Cleavr under the Webapp's settings, make sure to change it here as well.
      - prod
jobs:
  build:
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3

      - uses: actions/setup-node@v3
        with:
          node-version: '16'

      - uses: bahmutov/npm-install@v1

      - name: Build app
        run: npm run build --production

### ---  PLEASE DO NOT MODIFY ANYTHING BELOW THIS LINE --- ###

      - name: Generate artifact name
        id: artifact
        uses: josStorer/get-current-time@v2.0.2
        with:
          format: YYYYMMDDHHmmss
          utcOffset: "+08:00"

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: '${{ steps.artifact.outputs.formattedTime }}'
          path: build
          if-no-files-found: error

      - name: Start Cleavr Deployment
        uses: fjogeleit/http-request-action@master
        with:
          url: '${{ secrets.DEPLOY_TRIGGER_HOOK_cleavr_b8nuaqz7nt }}'
          method: 'POST'
          timeout: 60000
          customHeaders: '{"artifact": "${{ steps.artifact.outputs.formattedTime }}"}'
vpolikarpov-akvelon commented 1 year ago

Hey @TDodgeCo. Could you share exact error and what stage it emerges in?