If in a GitHub Actions workflow you try to check out a repository from an URL with a self-signed certificate or a certificate signed by a non-trusted certificate authority (CA), you will get this error:
request to <URL> failed, reason: self signed certificate in certificate chain
In this note i will show how to fix the self-signed certificate error in GitHub Actions by adding trusted CA certificates.
Cool Tip: Get a FREE Wildcard SSL/TLS Certificate from Let’s Encrypt! Read more →
Self-Signed Certificate in GitHub Actions
If you use GitHub Actions with self-hosted runners, you can resolve the “self signed certificate in certificate chain” error by starting the runner with the NODE_EXTRA_CA_CERTS environment variable that should point to a file with the CA certificates, for example:
$ cd /opt/github/actions-runner/2.289.3/ $ export NODE_EXTRA_CA_CERTS="/etc/pki/ca-trust/source/anchors/org-ca.crt" $ ./run.sh
If you have configured the self-hosted runner application as a service, the NODE_EXTRA_CA_CERTS environment variable can be set in the service file as follows:
$ vi /etc/systemd/system/actions.runner._services.hostname.service $ cat /etc/systemd/system/actions.runner._services.hostname.service [Unit] Description=GitHub Actions Runner (_services.hostname) After=network.target [Service] ExecStart=/opt/github/actions-runner/2.289.3/runsvc.sh WorkingDirectory=/opt/github/actions-runner/2.289.3 KillMode=process KillSignal=SIGTERM TimeoutStopSec=5min Environment="NODE_EXTRA_CA_CERTS=/etc/pki/ca-trust/source/anchors/org-ca.crt" [Install] WantedBy=multi-user.target $ systemctl daemon-reload $ systemctl restart actions.runner._services.hostname.service
Cool Tip: How to get SSL certificate from a server (site’s URL)! Read more →
Server and CA certificates can be retrieved using this command:
$ echo | openssl s_client -showcerts -servername=example.tld -connect example.tld:443