I am trying to set up a self-hosted act-runner, and link it to a Gitea instance that uses self-signed TLS certificates (the implementation/ansible role to deploy it can be found here). I had no problem setting up act-runner and registering it on my Gitea instance, enabling actions for repositories, etc.
However, during actions-checkout@v2, gitea actions fails with fatal: unable to access 'https://git.example.org/myusername/hecat-test/': server certificate verification failed. CAfile: none CRLfile: none.
This is because it tries to clone a git repository from the Gitea instance, which does not have a valid certificate. This is a test/staging instance and it is not possible for me to get a valid certificate for it. I would like to keep using a self-signed certificate, and make actions-checkout@v2 play nice with it.
Searching for self-signed on Issues · actions/checkout · GitHub yields no results, which make me think github’s checkout action simply does not support this. Moreover it doesn’t appear that maintainers are looking at the project issues at all, so it is pointless to post there (issues are littered with spambot-generated content which are never cleaned up).
Are there ways to accomplish this? Is there an alternative checkout action that I could use? Or is there a way to configure the action trust a custom CA/certificate?
Hi,
I was able to make act-runner/checkout action accept the self-signed certificate by:
adding my self-signed certificate to the host’s CA certificates bundle, by copying it to /etc/ssl/certs/ and running update-ca-certificates
making a copy of the host’s CA certificate bundle (/etc/ssl/certs/ca-certificates.crt) for act-runner in /etc/act-runner/ca-certificates.crt
mounting this copy of the the bundle inside containers managed by act-runner by passing options: --mount type=bind,source=/etc/act-runner/ca-certificates.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly and valid_volumes: ['/etc/act-runner/ca-certificates.crt'] in /etc/act-runner/config.yaml
have the checkout action load this certificate bundle by passing envs: NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/ca-certificates.crt" in /etc/act-runner/config.yaml
Also worth noting that my default setup uses podman instead of docker to manage containers, and seems to work correctly with it. I will probably contribute some documentation on how to achieve this.
I’m also having the same problems with ca certs, and have just burnt 4 hours trying to get the F thing working.
I run my own Root CA + Intermediate for homelab purposes. Gitea is behind traefik providing the HTTPS endpoint.
On my synology NAS, using a gitea action runner works perfectly - the CA certs pass through to all of the containers.
Running Ubuntu on a different machine, and i can curl the endpoint no problems on the host (cert is in the trust store) but the containers all fail on the git clone step.
@haydonryan check the solution above, there are two things at play:
the host running act-runner must trust the certificate so it can register/communicate with the gitea instance (seems to work fine for you)
the containers launched by act-runner, in which the git clone process take place, must trust the certificate - these containers have no knowledge of the host’s trust store - so you must have
NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/ca-certificates.crt" in /etc/act-runner/config.yaml
valid_volumes: ['/etc/act-runner/ca-certificates.crt'] and options: --mount type=bind,source=/etc/act-runner/ca-certificates.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly in /etc/act-runner/config.yaml
I did get it in eventually once I found the options section of config.yaml. I definitely think this is something that could be added to the config.yaml template.
I moved from an ubuntu docker host to arch linux based… My vms all trust my internal CA.
I think the way I’m doing this is different to your suggestion - in that I’m just passing through the host directories, rather than having extra certs in etc/act-runner.
I have it working by: