Error: unable to get local issuer certificate

Question

Error: unable to get local issuer certificate

Justin-JHG opened this issue a year ago · comments

Describe the bug
Getting above error when running action verson 3
running exact same action with v2.0.1 has no error

Desktop (please complete the following information):

OS: [windows]
Browser [Edge]
Version [server 2016]

Smartphone (please complete the following information):

Device: [e.g. iPhone6]
OS: [e.g. iOS8.1]
Browser [e.g. stock browser, safari]
Version [e.g. 22]

Additional context
Add any other context about the problem here.

Justin Liu · Answer 1 · Tue Apr 18 2023 07:43:21 GMT+0800 (China Standard Time)

no one maintaining this repo anymore ?

Ben Pearce · Answer 2 · Thu Apr 20 2023 08:38:33 GMT+0800 (China Standard Time)

Sorry for the delay in actioning this @Justin-JHG

Can you please let us know some more information about where you are receiving this error?
Self-hosted or Github runner?
Where is the Octopus server that it is connecting to located, internal network or public facing endpoint?
Are you able to provide a debug log from a failed run?

Justin Liu · Answer 3 · Fri Apr 21 2023 08:42:23 GMT+0800 (China Standard Time)

hi @benPearce1

thank you for the reply

Can you please let us know some more information about where you are receiving this error?
Self-hosted or Github runner?

self-hosted windows server 2016 runner

Where is the Octopus server that it is connecting to located, internal network or public facing endpoint?

hosted on AWS EC2 but only visible in internel network

Are you able to provide a debug log from a failed run?

not sure where to get the debug log but I have attached the error for your reivew, thanks

Ben Pearce · Answer 4 · Fri Apr 21 2023 12:43:14 GMT+0800 (China Standard Time)

@Justin-JHG thanks for the reply.

I assume since the Octopus Server is internally facing only, then it is using a self-signed certificate on the API.

It appears that you are running into the same issue that we have on our Azure Devops extension. They both use the same underlying client library.

At this stage we don't have a fix and are not planning to provide an SSL workaround, can you please try importing the self-signed certificate from the Octopus Server to the Trusted Root Certification Authorities store on the server hosting the Github Actions runner.
This article might help with this - https://techcommunity.microsoft.com/t5/windows-server-essentials-and/installing-a-self-signed-certificate-as-a-trusted-root-ca-in/ba-p/396105

The debug logs can be obtained by re-running a previous job and ticking Enable debug logging

Justin Liu · Answer 5 · Fri Apr 21 2023 14:39:50 GMT+0800 (China Standard Time)

thank you @benPearce1

yes we did get exact same error in our Azure DevOps pipeline as well when running latest task for Create Release and Deploy Release.

just wondering if you not planning to fix the ssl error, can you help to udpate create-release-action@v2.0.1 to fix the following:

we will just use v2 instead as that one works for us.

I tried to import the certificate and still getting same error, debug log as following

##[debug]Evaluating condition for step: '🔸 Create a release in Octopus Deploy 🐙' ##[debug]Evaluating: success() ##[debug]Evaluating success: ##[debug]=> true ##[debug]Result: true ##[debug]Starting: 🔸 Create a release in Octopus Deploy 🐙 ##[debug]Loading inputs ##[debug]Evaluating: vars.OCTOPUS_CHANNEL ##[debug]Evaluating Index: ##[debug]..Evaluating vars: ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'OCTOPUS_CHANNEL' ##[debug]=> 'PCR-Channel-Test' ##[debug]Result: 'PCR-Channel-Test' ##[debug]Evaluating: needs.build.outputs.build_number ##[debug]Evaluating Index: ##[debug]..Evaluating Index: ##[debug]....Evaluating Index: ##[debug]......Evaluating needs: ##[debug]......=> Object ##[debug]......Evaluating String: ##[debug]......=> 'build' ##[debug]....=> Object ##[debug]....Evaluating String: ##[debug]....=> 'outputs' ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'build_number' ##[debug]=> '[2](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:2)02[3](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:3)0[4](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:4)21.16280[5](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:5)-azure-pipeline-GA' ##[debug]Result: '20230421.1[6](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:6)2[8](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:8)05-azure-pipeline-GA' ##[debug]Loading env Run OctopusDeploy/create-release-action@v3.0.5 with: project: PCR space: PA Suite channel: PCR-Channel-Test release_number: 20230421.[16](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:16)[28](https://github.com/johnhollandgroup/dev-src-pcr/actions/runs/4762100550/jobs/8464004982#step:3:28)05-azure-pipeline-GA ignore_existing: false env: SOLUTION_FILE_PATH: ./Services BUILD_CONFIGURATION: Release OCTOPUS_API_KEY: *** OCTOPUS_URL: https://jhgsvrmeltfsb01.jhg.com.au/ OCTOPUS_SPACE: PA Suite Error: Error: unable to get local issuer certificate ##[debug]Node Action run completed with exit code 1 ##[debug]Finishing: 🔸 Create a release in Octopus Deploy 🐙

Ben Pearce · Answer 6 · Mon Apr 24 2023 09:52:58 GMT+0800 (China Standard Time)

@Justin-JHG there are two possible workarounds that will avoid the SSL error you are seeing in the v3 action.

Setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0 (zero) will stop the node process from validating the certs. This makes all connections between the runner and your Octopus Server insecure and is not recommended.

Exporting the Octopus Server certificate to a PEM file and setting the environment variable NODE_EXTRA_CA_CERTS to the path to the file should also allow the runner to connect to an endpoint with a self-signed certificate.

Justin Liu · Answer 7 · Wed Apr 26 2023 08:35:50 GMT+0800 (China Standard Time)

hi @benPearce1
thank you, just wondering where to add the environement variable? is that the variable for repo for the github actions?

tried to add NODE_TLS_REJECT_UNAUTHORIZED and still got same error?

Ben Pearce · Answer 8 · Wed Apr 26 2023 08:51:26 GMT+0800 (China Standard Time)

The variable would need to be on the worker machine as a system variable, or at least scoped to the user that the agent is running under.

Justin Liu · Answer 9 · Wed Apr 26 2023 09:42:30 GMT+0800 (China Standard Time)

hi @benPearce1
thank you, unfortunetaly adding env variable still getting same error

another thing I'm wondering is that when I try to browse the Octopus server from the runner it didn't report any issue with certificate. just wondering why the github action cannot find it

Ben Pearce · Answer 10 · Fri Apr 28 2023 06:56:14 GMT+0800 (China Standard Time)

I think this is due to differences in the way that the browser handles certificates vs node.
As far as I know, node doesn't look at the certificates added to the machine.

After adding the NODE_TLS_REJECT_UNAUTHORIZED environment variable to the user profile or system variables, did you restart the runner?