Act_runner: server certificate verification failed. CAfile: none CRLfile: none

Actions

cheath October 17, 2024, 2:23pm 1

I’ve setup our Gitea server and everything has been going fine.

Now we’re setting up some workflows/actions and get the following error in the action’s log:

2024-10-17T12:33:16.4188843Z ::group::Fetching the repository
2024-10-17T12:33:16.4212670Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +d195a7b3ca41fa5c32629213ed6bd316711e3cb6:refs/tags/2.9.0-SNAPSHOT
2024-10-17T12:33:16.4776163Z fatal: unable to access 'https://slc039.lc.minebea.local:3000/NHBB/php-commons/': server certificate verification failed. CAfile: none CRLfile: none
2024-10-17T12:33:16.4792134Z The process '/usr/bin/git' failed with exit code 128
2024-10-17T12:33:16.4794562Z Waiting 15 seconds before trying again

If we add the following step to our workflow yaml we can ‘workaround’ the issue, but I would really like to get it ‘fixed’

- name: Disable SSL verify (Temporary Fix)
  run: git config --global http.sslVerify false

I’m assuming this is because our act_runner’s config.yaml is still the default example and we need to pass through the server’s certificates to the container… or something.
But I can’t find any information on how to do this properly (or at all really). Do I edit the act_runner config.yaml? Do I add more run steps to the workflow?

Thanks in advance,
Chris

rob4226 October 23, 2024, 1:03am 2

I’m having the same problem. My Gitea instance is using a TLS certificate signed by a self-signed root CA. I tried mounting my host’s /etc/ssl/certs directory (includes the self-signed CA) into the Gitea action runner, which I run using Docker compose:

   # ...
    volumes:
      - ./runner-config.yaml:/config.yaml
      - ./data:/data
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/ssl/certs:/etc/ssl/certs:ro

but that didn’t help.

What’s the proper way to add a custom root CA to containers that run Gitea Actions?

Edit:

Not sure if this is the easiest or best way, but I found a way to mount the host’s certificates into the containers:

config.yaml

# ...
container:
  options: --mount type=bind,source=/etc/ssl/certs,target=/etc/ssl/certs,readonly
  valid_volumes: [ "/etc/ssl/certs" ]

cheath October 28, 2024, 6:03pm 3

thanks for the reply

we were able to solve our issue by adding the valid volumes section to the act_running config.yaml and then modifying the workflows to add the volume

looking back your solution to solve completely within the act_runner config.yaml is probably a ‘better’ solution

again, thanks