Cannot checkout a repository hosted on a gitea instance using self-signed certificate (`server certificate verification failed`)

Actions
1

Hi,

I am trying to set up a self-hosted act-runner, and link it to a Gitea instance that uses self-signed TLS certificates (the implementation/ansible role to deploy it can be found here). I had no problem setting up act-runner and registering it on my Gitea instance, enabling actions for repositories, etc.

However, during actions-checkout@v2, gitea actions fails with fatal: unable to access 'https://git.example.org/myusername/hecat-test/': server certificate verification failed. CAfile: none CRLfile: none.

This is because it tries to clone a git repository from the Gitea instance, which does not have a valid certificate. This is a test/staging instance and it is not possible for me to get a valid certificate for it. I would like to keep using a self-signed certificate, and make actions-checkout@v2 play nice with it.

Searching for self-signed on Issues · actions/checkout · GitHub yields no results, which make me think github’s checkout action simply does not support this. Moreover it doesn’t appear that maintainers are looking at the project issues at all, so it is pointless to post there (issues are littered with spambot-generated content which are never cleaned up).

Are there ways to accomplish this? Is there an alternative checkout action that I could use? Or is there a way to configure the action trust a custom CA/certificate?

Thanks in advance

2

Looks like there is no parameter to ignore the certificate verify.
ref: https://github.com/actions/checkout/blob/main/action.yml

3

Hi,
I was able to make act-runner/checkout action accept the self-signed certificate by:

  1. adding my self-signed certificate to the host’s CA certificates bundle, by copying it to /etc/ssl/certs/ and running update-ca-certificates
  2. making a copy of the host’s CA certificate bundle (/etc/ssl/certs/ca-certificates.crt) for act-runner in /etc/act-runner/ca-certificates.crt
  3. mounting this copy of the the bundle inside containers managed by act-runner by passing options: --mount type=bind,source=/etc/act-runner/ca-certificates.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly and valid_volumes: ['/etc/act-runner/ca-certificates.crt'] in /etc/act-runner/config.yaml
  4. have the checkout action load this certificate bundle by passing envs: NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/ca-certificates.crt" in /etc/act-runner/config.yaml

You can find the full ansible role here: https://github.com/nodiscc/xsrv/tree/master/roles/gitea_act_runner

Also worth noting that my default setup uses podman instead of docker to manage containers, and seems to work correctly with it. I will probably contribute some documentation on how to achieve this.

1 Like