docs/checks/sslcert.md
You might run into an SSL certificate error when your GitHub Enterprise Server is using a self-signed SSL server certificate or a web proxy within your network is decrypting HTTPS traffic for a security audit.
As long as your certificate is generated properly, most of the issues should be fixed after your trust the certificate properly on the runner machine.
Different OS might have extra requirements on SSL certificate, Ex: macOS requires
ExtendedKeyUsagehttps://support.apple.com/en-us/HT210176
!!! DO NOT SKIP SSL CERT VALIDATION !!!
!!! IT IS A BAD SECURITY PRACTICE !!!
Depends on how your SSL server certificate gets configured, you might need to download the whole certificate chain from a machine that has trusted the SSL certificate's CA.
Approach 1: Download certificate chain using a browser (Chrome, Firefox, IT), you can google for more example, here is what I found
Approach 2: Download certificate chain using OpenSSL, you can google for more example, here is what I found
Approach 3: Ask your network administrator or the owner of the CA certificate to send you a copy of it
The actions runner is a dotnet core application which will follow how dotnet load SSL CA certificates on each OS.
You can get full details documentation at here
In short:
To let the runner trusts your CA certificate, you will need to:
.pem file.OpenSSL to convert .pem file to a proper format for different OS, here is some doc with sample commandsSSL_CERT_FILE to the CA bundle .pem file we get.To verify cert gets installed properly on Linux, you can try use
curl -v https://sitewithsslissue.comandpwsh -Command \"Invoke-WebRequest -Uri https://sitewithsslissue.com\"
Git uses various CA bundle file depends on your operation system.
You can check where Git check CA file by running:
export GIT_CURL_VERBOSE=1
git ls-remote https://github.com/actions/runner HEAD
You should see something like:
* Couldn't find host github.com in the .netrc file; using defaults
* Trying 140.82.114.4...
* TCP_NODELAY set
* Connected to github.com (140.82.114.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
This tells me /etc/ssl/cert.pem is where it read trusted CA certificates.
To let Git trusts your CA certificate, you will need to:
.pem file.http.sslCAInfo Git config or GIT_SSL_CAINFO environment variable to the full path of the .pem file Git DocI would recommend using
http.sslCAInfosince it can be scope to certain hosts that need the extra trusted CA.
Ex:git config --global http.https://myghes.com/.sslCAInfo /extra/ca/cert.pem
This will make Git use the/extra/ca/cert.pemonly when communicates withhttps://myghes.comand keep using the default CA bundle with others.
Node.js has compiled a snapshot of the Mozilla CA store that is fixed at each version of Node.js' release time.
To let Node.js trusts your CA certificate, you will need to:
.pem file.NODE_EXTRA_CA_CERTS which point to the file. ex: export NODE_EXTRA_CA_CERTS=/full/path/to/cacert.pem or set NODE_EXTRA_CA_CERTS=C:\full\path\to\cacert.pem