Error: unable to get local issuer certificate
Justin-JHG opened this issue ยท 10 comments
Describe the bug
Getting above error when running action verson 3
running exact same action with v2.0.1 has no error
Desktop (please complete the following information):
- OS: [windows]
- Browser [Edge]
- Version [server 2016]
Smartphone (please complete the following information):
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
Additional context
Add any other context about the problem here.
no one maintaining this repo anymore ?
Sorry for the delay in actioning this @Justin-JHG
Can you please let us know some more information about where you are receiving this error?
Self-hosted or Github runner?
Where is the Octopus server that it is connecting to located, internal network or public facing endpoint?
Are you able to provide a debug log from a failed run?
hi @benPearce1
thank you for the reply
Can you please let us know some more information about where you are receiving this error?
Self-hosted or Github runner?
- self-hosted windows server 2016 runner
Where is the Octopus server that it is connecting to located, internal network or public facing endpoint?
- hosted on AWS EC2 but only visible in internel network
Are you able to provide a debug log from a failed run?
- not sure where to get the debug log but I have attached the error for your reivew, thanks
@Justin-JHG thanks for the reply.
I assume since the Octopus Server is internally facing only, then it is using a self-signed certificate on the API.
It appears that you are running into the same issue that we have on our Azure Devops extension. They both use the same underlying client library.
At this stage we don't have a fix and are not planning to provide an SSL workaround, can you please try importing the self-signed certificate from the Octopus Server to the Trusted Root Certification Authorities
store on the server hosting the Github Actions runner.
This article might help with this - https://techcommunity.microsoft.com/t5/windows-server-essentials-and/installing-a-self-signed-certificate-as-a-trusted-root-ca-in/ba-p/396105
The debug logs can be obtained by re-running a previous job and ticking Enable debug logging
thank you @benPearce1
yes we did get exact same error in our Azure DevOps pipeline as well when running latest task for Create Release and Deploy Release.
just wondering if you not planning to fix the ssl error, can you help to udpate create-release-action@v2.0.1 to fix the following:
we will just use v2 instead as that one works for us.
I tried to import the certificate and still getting same error, debug log as following
##[debug]Evaluating condition for step: '๐ธ Create a release in Octopus Deploy ๐' ##[debug]Evaluating: success() ##[debug]Evaluating success: ##[debug]=> true ##[debug]Result: true ##[debug]Starting: ๐ธ Create a release in Octopus Deploy ๐ ##[debug]Loading inputs ##[debug]Evaluating: vars.OCTOPUS_CHANNEL ##[debug]Evaluating Index: ##[debug]..Evaluating vars: ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'OCTOPUS_CHANNEL' ##[debug]=> 'PCR-Channel-Test' ##[debug]Result: 'PCR-Channel-Test' ##[debug]Evaluating: needs.build.outputs.build_number ##[debug]Evaluating Index: ##[debug]..Evaluating Index: ##[debug]....Evaluating Index: ##[debug]......Evaluating needs: ##[debug]......=> Object ##[debug]......Evaluating String: ##[debug]......=> 'build' ##[debug]....=> Object ##[debug]....Evaluating String: ##[debug]....=> 'outputs' ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'build_number' ##[debug]=> '[2](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:2)02[3](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:3)0[4](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:4)21.16280[5](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:5)-azure-pipeline-GA' ##[debug]Result: '20230421.1[6](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:6)2[8](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:8)05-azure-pipeline-GA' ##[debug]Loading env Run OctopusDeploy/create-release-action@v3.0.5 with: project: PCR space: PA Suite channel: PCR-Channel-Test release_number: 20230421.[16](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:16)[28](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:28)05-azure-pipeline-GA ignore_existing: false env: SOLUTION_FILE_PATH: ./Services BUILD_CONFIGURATION: Release OCTOPUS_API_KEY: *** OCTOPUS_URL: https://jhgsvrmeltfsb01.jhg.com.au/ OCTOPUS_SPACE: PA Suite Error: Error: unable to get local issuer certificate ##[debug]Node Action run completed with exit code 1 ##[debug]Finishing: ๐ธ Create a release in Octopus Deploy ๐
@Justin-JHG there are two possible workarounds that will avoid the SSL error you are seeing in the v3 action.
Setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED
to 0
(zero) will stop the node process from validating the certs. This makes all connections between the runner and your Octopus Server insecure and is not recommended.
Exporting the Octopus Server certificate to a PEM file and setting the environment variable NODE_EXTRA_CA_CERTS
to the path to the file should also allow the runner to connect to an endpoint with a self-signed certificate.
hi @benPearce1
thank you, just wondering where to add the environement variable? is that the variable for repo for the github actions?
tried to add NODE_TLS_REJECT_UNAUTHORIZED and still got same error?
The variable would need to be on the worker machine as a system variable, or at least scoped to the user that the agent is running under.
hi @benPearce1
thank you, unfortunetaly adding env variable still getting same error
another thing I'm wondering is that when I try to browse the Octopus server from the runner it didn't report any issue with certificate. just wondering why the github action cannot find it
I think this is due to differences in the way that the browser handles certificates vs node.
As far as I know, node doesn't look at the certificates added to the machine.
After adding the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the user profile or system variables, did you restart the runner?