Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: unable to get local issuer certificate #377

Open
Justin-JHG opened this issue Apr 8, 2023 · 10 comments
Open

Error: unable to get local issuer certificate #377

Justin-JHG opened this issue Apr 8, 2023 · 10 comments

Comments

@Justin-JHG
Copy link

Describe the bug
Getting above error when running action verson 3
running exact same action with v2.0.1 has no error

Desktop (please complete the following information):

  • OS: [windows]
  • Browser [Edge]
  • Version [server 2016]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context
Add any other context about the problem here.
@Justin-JHG
Copy link
Author

no one maintaining this repo anymore ?

@benPearce1
Copy link
Contributor

Sorry for the delay in actioning this @Justin-JHG

Can you please let us know some more information about where you are receiving this error?
Self-hosted or Github runner?
Where is the Octopus server that it is connecting to located, internal network or public facing endpoint?
Are you able to provide a debug log from a failed run?

@Justin-JHG
Copy link
Author

hi @benPearce1

thank you for the reply

Can you please let us know some more information about where you are receiving this error?
Self-hosted or Github runner?

  • self-hosted windows server 2016 runner

Where is the Octopus server that it is connecting to located, internal network or public facing endpoint?

  • hosted on AWS EC2 but only visible in internel network

Are you able to provide a debug log from a failed run?

  • not sure where to get the debug log but I have attached the error for your reivew, thanks

image

@benPearce1
Copy link
Contributor

benPearce1 commented Apr 21, 2023
edited

@Justin-JHG thanks for the reply.

I assume since the Octopus Server is internally facing only, then it is using a self-signed certificate on the API.

It appears that you are running into the same issue that we have on our Azure Devops extension. They both use the same underlying client library.

At this stage we don't have a fix and are not planning to provide an SSL workaround, can you please try importing the self-signed certificate from the Octopus Server to the Trusted Root Certification Authorities store on the server hosting the Github Actions runner.
This article might help with this - https://techcommunity.microsoft.com/t5/windows-server-essentials-and/installing-a-self-signed-certificate-as-a-trusted-root-ca-in/ba-p/396105

The debug logs can be obtained by re-running a previous job and ticking Enable debug logging
image

@Justin-JHG
Copy link
Author

thank you @benPearce1

yes we did get exact same error in our Azure DevOps pipeline as well when running latest task for Create Release and Deploy Release.

just wondering if you not planning to fix the ssl error, can you help to udpate create-release-action@v2.0.1 to fix the following:

image

we will just use v2 instead as that one works for us.

I tried to import the certificate and still getting same error, debug log as following

##[debug]Evaluating condition for step: '🔸 Create a release in Octopus Deploy 🐙' ##[debug]Evaluating: success() ##[debug]Evaluating success: ##[debug]=> true ##[debug]Result: true ##[debug]Starting: 🔸 Create a release in Octopus Deploy 🐙 ##[debug]Loading inputs ##[debug]Evaluating: vars.OCTOPUS_CHANNEL ##[debug]Evaluating Index: ##[debug]..Evaluating vars: ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'OCTOPUS_CHANNEL' ##[debug]=> 'PCR-Channel-Test' ##[debug]Result: 'PCR-Channel-Test' ##[debug]Evaluating: needs.build.outputs.build_number ##[debug]Evaluating Index: ##[debug]..Evaluating Index: ##[debug]....Evaluating Index: ##[debug]......Evaluating needs: ##[debug]......=> Object ##[debug]......Evaluating String: ##[debug]......=> 'build' ##[debug]....=> Object ##[debug]....Evaluating String: ##[debug]....=> 'outputs' ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'build_number' ##[debug]=> '[2](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:2)02[3](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:3)0[4](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:4)21.16280[5](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:5)-azure-pipeline-GA' ##[debug]Result: '20230421.1[6](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:6)2[8](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:8)05-azure-pipeline-GA' ##[debug]Loading env Run OctopusDeploy/create-release-action@v3.0.5 with: project: PCR space: PA Suite channel: PCR-Channel-Test release_number: 20230421.[16](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:16)[28](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:28)05-azure-pipeline-GA ignore_existing: false env: SOLUTION_FILE_PATH: ./Services BUILD_CONFIGURATION: Release OCTOPUS_API_KEY: *** OCTOPUS_URL: https://jhgsvrmeltfsb01.jhg.com.au/ OCTOPUS_SPACE: PA Suite Error: Error: unable to get local issuer certificate ##[debug]Node Action run completed with exit code 1 ##[debug]Finishing: 🔸 Create a release in Octopus Deploy 🐙

@benPearce1
Copy link
Contributor

@Justin-JHG there are two possible workarounds that will avoid the SSL error you are seeing in the v3 action.

Setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0 (zero) will stop the node process from validating the certs. This makes all connections between the runner and your Octopus Server insecure and is not recommended.

Exporting the Octopus Server certificate to a PEM file and setting the environment variable NODE_EXTRA_CA_CERTS to the path to the file should also allow the runner to connect to an endpoint with a self-signed certificate.

@Justin-JHG
Copy link
Author

hi @benPearce1
thank you, just wondering where to add the environement variable? is that the variable for repo for the github actions?

image

tried to add NODE_TLS_REJECT_UNAUTHORIZED and still got same error?

@benPearce1
Copy link
Contributor

The variable would need to be on the worker machine as a system variable, or at least scoped to the user that the agent is running under.

@Justin-JHG
Copy link
Author

hi @benPearce1
thank you, unfortunetaly adding env variable still getting same error

another thing I'm wondering is that when I try to browse the Octopus server from the runner it didn't report any issue with certificate. just wondering why the github action cannot find it

image

@benPearce1
Copy link
Contributor

I think this is due to differences in the way that the browser handles certificates vs node.
As far as I know, node doesn't look at the certificates added to the machine.

After adding the NODE_TLS_REJECT_UNAUTHORIZED environment variable to the user profile or system variables, did you restart the runner?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benPearce1 @Justin-JHG