::error:: self signed certificate in certificate chain

[merlinpaypal]

Bug report info

act version:            0.2.46
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            DOCKER_HOST environment variable is not set
Sockets found:
        /var/run/docker.sock
        $HOME/.docker/run/docker.sock
Config files:           
        /Users/mepatterson/.actrc:
                --container-architecture linux/amd64
                -P ubuntu-latest=catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
        Go version:            go1.20.4
        Module path:           command-line-arguments
        Main version:          
        Main path:             
        Main checksum:         
        Build settings:
                -buildmode:           exe
                -compiler:            gc
                -ldflags:             -X main.version=0.2.46
                CGO_ENABLED:          1
                CGO_CFLAGS:           
                CGO_CPPFLAGS:         
                CGO_CXXFLAGS:         
                CGO_LDFLAGS:          
                GOARCH:               arm64
                GOOS:                 darwin
Docker Engine:
        Engine version:        24.0.2
        Engine runtime:        runc
        Cgroup version:        2
        Cgroup driver:         cgroupfs
        Storage driver:        overlay2
        Registry URI:          https://index.docker.io/v1/
        OS:                    Docker Desktop
        OS type:               linux
        OS version:            
        OS arch:               aarch64
        OS kernel:             5.15.49-linuxkit-pr
        OS CPU:                5
        OS memory:             7851 MB
        Security options:
                name=seccomp,profile=builtin
                name=cgroupns

Command used with act

act -j lintAndUnit

Describe issue

Erroring out with ::error::self signed certificate in certificate chain on a fairly simple step of actions/setup-node@v3.

I've turned off any VPN that I was using and I still get this same issue. I also disabled setting NODE_EXTRA_CA_CERTS. Though I wouldn't expect that to affect this runner either.

Link to GitHub repository

https://github.com/paypal/paypal-messaging-components/blob/develop/.github/workflows/core.yml

Workflow content

name: Lint, Unit, Non-snapshot tests
on:
    # allow for manual triggers
    workflow_dispatch: {}
    workflow_call: {}
    push:
        branches:
            - develop
    pull_request: {}

jobs:
    lintAndUnit:
        name: Lint and Unit Tests
        runs-on: ubuntu-latest
        steps:
            - name: Checkout repo
              uses: actions/checkout@v3
              with:
                  persist-credentials: false

            - name: Setup node
              uses: actions/setup-node@v1
              with:
                  node-version: 14

            - name: 📥 Download deps
              uses: bahmutov/npm-install@v1
              with:
                  useLockFile: false

            - name: Lint
              run: npm run lint

            - name: Unit Tests
              run: npm run test

    functionalNonSnapshot:
        name: Functional Non-Snapshot Tests
        runs-on: ubuntu-latest
        steps:
            - name: Checkout repo
              uses: actions/checkout@v3
              with:
                  persist-credentials: false

            - name: Setup node
              uses: actions/setup-node@v1
              with:
                  node-version: 14

            - name: 📥 Download deps
              uses: bahmutov/npm-install@v1
              with:
                  useLockFile: false

            - name: Run server
              run: ./.github/scripts/runServer.sh

            - name: Functional Non-Snapshot Tests
              run: npm run test:func:nosnaps

Relevant log output

[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🚀  Start image=catthehacker/ubuntu:act-latest
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker pull image=catthehacker/ubuntu:act-latest platform=linux/amd64 username= forcePull=true
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker create image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[]
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[]
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ☁  git clone 'https://github.com/actions/setup-node' # ref=v3
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ☁  git clone 'https://github.com/bahmutov/npm-install' # ref=v1
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ⭐ Run Main Checkout repo
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker cp src=/Users/mepatterson/code/messaging-components/. dst=/Users/mepatterson/code/messaging-components
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ✅  Success - Main Checkout repo
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ⭐ Run Main Setup node
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker cp src=/Users/mepatterson/.cache/act/actions-setup-node@v3/ dst=/var/run/act/actions/actions-setup-node@v3/
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker exec cmd=[node /var/run/act/actions/actions-setup-node@v3/dist/setup/index.js] user= workdir=
| Resolved .nvmrc as 16
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::isExplicit: 
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::explicit? false
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::isExplicit: 16.20.0
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::explicit? true
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::evaluating 0 versions
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::match not found
| Attempting to download 16...
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::No manifest cached
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::Getting manifest from actions/node-versions@main
| self signed certificate in certificate chain
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::Error: self signed certificate in certificate chain%0A    at TLSSocket.onConnectSecure (node:_tls_wrap:1539:34)%0A    at TLSSocket.emit (node:events:513:28)%0A    at TLSSocket._finishInit (node:_tls_wrap:953:8)%0A    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12)
| Falling back to download directly from Node
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ❗  ::error::self signed certificate in certificate chain
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ❌  Failure - Main Setup node
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] exitcode '1': failure
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🏁  Job failed
Error: Job 'Lint and Unit Tests' failed

Additional information

.actrc file

--container-architecture linux/amd64
-P ubuntu-latest=catthehacker/ubuntu:act-latest
-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
-P ubuntu-18.04=catthehacker/ubuntu:act-18.04

[github-actions[bot]]

Issue is stale and will be closed in 14 days unless there is new activity

[dingo-d]

I have the same thing

bug report output:

act version:            0.2.59
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            unix:///Users/dzoljom/.colima/default/docker.sock
Sockets found:
    $HOME/.colima/docker.sock
Config files:
    /Users/dzoljom/Library/Application Support/act/actrc:
        -P ubuntu-latest=catthehacker/ubuntu:act-latest
        -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
        -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
        -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
    Go version:            go1.21.6
    Module path:           command-line-arguments
    Main version:
    Main path:
    Main checksum:
    Build settings:
        -buildmode:           exe
        -compiler:            gc
        -ldflags:             -X main.version=0.2.59
        DefaultGODEBUG:       panicnil=1
        CGO_ENABLED:          1
        CGO_CFLAGS:
        CGO_CPPFLAGS:
        CGO_CXXFLAGS:
        CGO_LDFLAGS:
        GOARCH:               arm64
        GOOS:                 darwin
Docker Engine:
    Engine version:        24.0.9
    Engine runtime:        runc
    Cgroup version:        2
    Cgroup driver:         systemd
    Storage driver:        overlay2
    Registry URI:          https://index.docker.io/v1/
    OS:                    Ubuntu 23.10
    OS type:               linux
    OS version:            23.10
    OS arch:               aarch64
    OS kernel:             6.5.0-15-generic
    OS CPU:                2
    OS memory:             1895 MB
    Security options:
        name=apparmor
        name=seccomp,profile=builtin
        name=cgroupns

The problem is that I am running act on a company laptop that inspects the TLS connections in the corporate network, so original certificates are replaced by the company ones.

How do I add the company CA to my root CA that will be passed to act?

The bizzare thing is, when I exec into the container created by act

cbe1fd82d5dc   catthehacker/ubuntu:act-latest   "tail -f /dev/null"   3 minutes ago   Up 3 minutes             act-Continuous-integration-checks-Syntax-errors-checks-8107544da945bdaf257e405c888977a9c013e14f50edbf39d04e06d933c87ea6

I can run the composer just fine 🤷🏼‍♂️

I tried running the command act -j phpcs --container-architecture linux/amd64 --container-options "-v /etc/ssl/certs:/etc/ssl/certs:ro" but I'm still getting the same error.

[jonmajorc]

I know the issue is stale, but am hoping one of you found a solution to your problem and wouldn't mind posting back here! I am also on a company laptop and suspect the same issue.

[dingo-d]

I had to ping my IT department to allow certain URLs, there was no other way.

[mileserickson]

I'm experiencing the same issue on a corporate machine that has Netskope.

INFO[0000] Using docker host 'unix:///Users/miles/.colima/default/docker.sock', and daemon socket 'unix:///Users/miles/.colima/default/docker.sock' 
[Deploy/deploy] 🚀  Start image=catthehacker/ubuntu:act-latest
[Deploy/deploy]   🐳  docker pull image=catthehacker/ubuntu:act-latest platform=linux/amd64 username= forcePull=true
[Deploy/deploy]   🐳  docker create image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] network="host"
[Deploy/deploy]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] network="host"
[Deploy/deploy]   🐳  docker exec cmd=[node --no-warnings -e console.log(process.execPath)] user= workdir=
[Deploy/deploy]   ☁  git clone 'https://github.com/actions/setup-python' # ref=v2
[Deploy/deploy] Non-terminating error while running 'git clone': some refs were not updated
[Deploy/deploy] ⭐ Run Main Checkout code
[Deploy/deploy]   🐳  docker cp src=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers/. dst=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers
[Deploy/deploy]   ✅  Success - Main Checkout code
[Deploy/deploy] ⭐ Run Main Set up Python
[Deploy/deploy]   🐳  docker cp src=/Users/miles/.cache/act/actions-setup-python@v2/ dst=/var/run/act/actions/actions-setup-python@v2/
[Deploy/deploy]   🐳  docker exec cmd=[/opt/acttoolcache/node/18.20.4/x64/bin/node /var/run/act/actions/actions-setup-python@v2/dist/setup/index.js] user= workdir=
[Deploy/deploy]   💬  ::debug::Semantic version spec of 3.x is 3.x
[Deploy/deploy]   💬  ::debug::isExplicit: 
[Deploy/deploy]   💬  ::debug::explicit? false
[Deploy/deploy]   💬  ::debug::evaluating 0 versions
[Deploy/deploy]   💬  ::debug::match not found
| Version 3.x was not found in the local cache
[Deploy/deploy]   ❗  ::error::self-signed certificate in certificate chain
[Deploy/deploy]   ❌  Failure - Main Set up Python
[Deploy/deploy] exitcode '1': failure
[Deploy/deploy] 🏁  Job failed
Error: Job 'deploy' failed

Has anyone found a workaround?

[ChristopherHX]

@mileserickson node is ignoring the system cert store

I suggest to add env NODE_EXTRA_CA_CERTS to point to your cert bundle file

can be done via --env as well, if you put it into your repo dir depends on chevkoit beeing the first doing network stuff

so act --env NODE_EXTRA_CA_CERTS=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers/certs.pem

There is some env to skip tls validation in node as well, don't rember it as it is unsecure.

Tbh. you should create your own docker image with all the certs and that env and use --pull=false to use it