Cannot checkout a repository hosted on a gitea instance using self-signed certificate (`server certificate verification failed`)

Actions

nodiscc October 3, 2023, 11:19am 3

Hi,
I was able to make act-runner/checkout action accept the self-signed certificate by:

1. adding my self-signed certificate to the host’s CA certificates bundle, by copying it to /etc/ssl/certs/ and running update-ca-certificates
2. making a copy of the host’s CA certificate bundle (/etc/ssl/certs/ca-certificates.crt) for act-runner in /etc/act-runner/ca-certificates.crt
3. mounting this copy of the the bundle inside containers managed by act-runner by passing options: --mount type=bind,source=/etc/act-runner/ca-certificates.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly and valid_volumes: ['/etc/act-runner/ca-certificates.crt'] in /etc/act-runner/config.yaml
4. have the checkout action load this certificate bundle by passing envs: NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/ca-certificates.crt" in /etc/act-runner/config.yaml

You can find the full ansible role here: https://github.com/nodiscc/xsrv/tree/master/roles/gitea_act_runner

Also worth noting that my default setup uses podman instead of docker to manage containers, and seems to work correctly with it. I will probably contribute some documentation on how to achieve this.

2 Likes

show post in topic