Git actions runner SSL issue

Actions

ar339585 November 14, 2023, 6:01pm 1

When using a git runner (worked prior), I updated the SSL cert that nginx uses to secure gitea and all of a sudden my git action stopped working.

My runner is build in a docker container and when calling actions/checkout@v3, I get the below error:
Unable to access fatal: unable to access ‘https://gitea.spacia.com/Spacia/Flyer’: server certificate verification failed. CAfile: none CRLfile: none

This is only since updating the companies wildcard cert. I also place the cert in /usr/local/share/ca-certificates and ran update-ca-certificates.

Does the new cert need to be pointed somewhere else? Or when the actions/checkout@v3 is it using an old referenced cert?

Cannot checkout a repository hosted on a gitea instance using self-signed certificate (`server certificate verification failed`)

lunny November 15, 2023, 10:13am 2

This is because your Gitea instance has a self-signed certification? If that, you could use insecure flag on act_runner to ignore the verification.

ar339585 November 15, 2023, 2:17pm 3

Thanks for the reply @lunny
Its not a self signed cert. It is a signed pfx ca.
Initially the runner (inside a docker container) stopped running. I added the crt to /usr/share/ca-certificates and this got the docker container started again.
The nginx cert updated for web requests…
Only issue now is when the git runner tries to checkout the repo that used the old cert just fine previously.

ar339585 November 15, 2023, 4:33pm 4

(post deleted by author)

ar339585 November 15, 2023, 4:34pm 5

cont…

::group::Disabling automatic garbage collection
[command]/usr/bin/git config --local gc.auto 0
::endgroup::
::group::Setting up auth
[command]/usr/bin/git config --local --name-only --get-regexp core.sshCommand
[command]/usr/bin/git submodule foreach --recursive sh -c “git config --local --name-only --get-regexp ‘core.sshCommand’ && git config --local --unset-all ‘core.sshCommand’ || :”
[command]/usr/bin/git config --local --name-only --get-regexp http.https://git.spacia.com/.extraheader
[command]/usr/bin/git submodule foreach --recursive sh -c “git config --local --name-only --get-regexp ‘http.https://git.spacia.com/.extraheader’ && git config --local --unset-all ‘http.https://git.spacia.com/.extraheader’ || :”

ar339585 November 15, 2023, 4:37pm 6

::group::Fetching the repository
[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +e876eba78914a89f4d2e77b54883198c902e8705:refs/remotes/origin/master
fatal: unable to access ‘gitsite’: server certificate verification failed. CAfile: none CRLfile: none
The process ‘/usr/bin/git’ failed with exit code 128
Waiting 12 seconds before trying again
[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +e876eba78914a89f4d2e77b54883198c902e8705:refs/remotes/origin/master
Exact error below:

fatal: unable to access ‘gitsite’: server certificate verification failed. CAfile: none CRLfile: none
The process ‘/usr/bin/git’ failed with exit code 128
Waiting 16 seconds before trying again
[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +e876eba78914a89f4d2e77b54883198c902e8705:refs/remotes/origin/master
fatal: unable to access ‘gitsite’: server certificate verification failed. CAfile: none CRLfile: none
::remove-matcher owner=checkout-git::
::error::The process ‘/usr/bin/git’ failed with exit code 128

Whats strange is I can clone the repo from within the container, so I dont understand what cert the git runner is failing on?

ar339585 November 15, 2023, 4:40pm 7

Here is the exact issue

Waiting 12 seconds before trying again
[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +e876eba78914a89f4d2e77b54883198c902e8705:refs/remotes/origin/master
fatal: unable to access ‘gitsite’: server certificate verification failed. CAfile: none CRLfile: none
The process ‘/usr/bin/git’ failed with exit code 128
Waiting 16 seconds before trying again
[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +e876eba78914a89f4d2e77b54883198c902e8705:refs/remotes/origin/master
fatal: unable to access ‘gitsite’: server certificate verification failed. CAfile: none CRLfile: none
::remove-matcher owner=checkout-git::
::error::The process ‘/usr/bin/git’ failed with exit code 128

Whats strange is that I can clone within the runner container, so I dont see how this action fails?