[GH-ISSUE #721] Issue: helm login/push yields x509: certificate signed by unknown authority with google artifact registry #454

New issue

Closed

opened 2026-03-01 21:43:33 +03:00 by kerem · 9 comments

kerem commented 2026-03-01 21:43:33 +03:00

Owner

Copy link

Originally created by @ekallevig on GitHub (Jun 4, 2021).
Original GitHub issue: https://github.com/nektos/act/issues/721

Act version

act version 0.2.22-14-g8a9167d
commit 8a9167da82
using nektos/act-environments-ubuntu:18.04 runner

Expected behaviour

When running either helm registry login... or helm chart push with the google artifact registry (us-east1-docker.pkg.dev), it should succeed normally.

Actual behaviour

When running either helm registry login... or helm chart push with the google artifact registry (us-east1-docker.pkg.dev), it fails with the message:

Error logging in to v2 endpoint, trying next endpoint: Get "https://us-east1-docker.pkg.dev/v2/": x509: certificate signed by unknown authority
| Error: Get "https://us-east1-docker.pkg.dev/v2/": x509: certificate signed by unknown authority
| helm.go:81: [debug] Get "https://us-east1-docker.pkg.dev/v2/": x509: certificate signed by unknown authority

These same helm commands work fine on the local host machine (macos) as well as on the remote github actions runner (ubuntu 18.04). It seems like there's something off with the certificate store specifically on the act runner?

Workflow and/or repository

- name: package, and deploy helm chart
  run: |
    export HELM_EXPERIMENTAL_OCI=1
    helm registry login -u _json_key_base64 -p ${{ steps.secrets.outputs.GCP_AR_KEY }} us-east1-docker.pkg.dev
    helm chart save ./charts/chart-name us-east1-docker.pkg.dev/chart-name
    helm chart push us-east1-docker.pkg.dev/chart-name:0.0.4

Originally created by @ekallevig on GitHub (Jun 4, 2021). Original GitHub issue: https://github.com/nektos/act/issues/721 ## Act version act version 0.2.22-14-g8a9167d commit 8a9167da82b3824272fdbfcc25b3671cd1260e7d using nektos/act-environments-ubuntu:18.04 runner ## Expected behaviour When running either `helm registry login...` or `helm chart push` with the google artifact registry (us-east1-docker.pkg.dev), it should succeed normally. ## Actual behaviour When running either `helm registry login...` or `helm chart push` with the google artifact registry (us-east1-docker.pkg.dev), it fails with the message: ``` Error logging in to v2 endpoint, trying next endpoint: Get "https://us-east1-docker.pkg.dev/v2/": x509: certificate signed by unknown authority | Error: Get "https://us-east1-docker.pkg.dev/v2/": x509: certificate signed by unknown authority | helm.go:81: [debug] Get "https://us-east1-docker.pkg.dev/v2/": x509: certificate signed by unknown authority ``` These same helm commands work fine on the local host machine (macos) as well as on the remote github actions runner (ubuntu 18.04). It seems like there's something off with the certificate store specifically on the act runner? ## Workflow and/or repository ```none - name: package, and deploy helm chart run: | export HELM_EXPERIMENTAL_OCI=1 helm registry login -u _json_key_base64 -p ${{ steps.secrets.outputs.GCP_AR_KEY }} us-east1-docker.pkg.dev helm chart save ./charts/chart-name us-east1-docker.pkg.dev/chart-name helm chart push us-east1-docker.pkg.dev/chart-name:0.0.4 ```

kerem 2026-03-01 21:43:33 +03:00

• closed this issue
• added the
  meta/resolved
  area/image
  kind/external
  labels

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Jun 4, 2021):

Image has not been updated since February 2020, please use more recent image or update it yourself.
https://github.com/nektos/act/blob/master/IMAGES.md

<!-- gh-comment-id:854377397 --> @catthehacker commented on GitHub (Jun 4, 2021): Image has not been updated since February 2020, please use more recent image or update it yourself. https://github.com/nektos/act/blob/master/IMAGES.md

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@ekallevig commented on GitHub (Jun 4, 2021):

Thanks for your reply. By update do you mean running something like sudo apt-get upgrade and generating a new image?

<!-- gh-comment-id:854691340 --> @ekallevig commented on GitHub (Jun 4, 2021): Thanks for your reply. By update do you mean running something like `sudo apt-get upgrade` and generating a new image?

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@ekallevig commented on GitHub (Jun 4, 2021):

@catthehacker I've tried this with catthehacker/ubuntu:act-latest which was updated 13 days ago and I still get the same certificate error.

<!-- gh-comment-id:854714902 --> @ekallevig commented on GitHub (Jun 4, 2021): @catthehacker I've tried this with `catthehacker/ubuntu:act-latest` which was updated 13 days ago and I still get the same certificate error.

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Jun 4, 2021):

Can you try running sudo update-ca-certificates before failing step?

<!-- gh-comment-id:854722127 --> @catthehacker commented on GitHub (Jun 4, 2021): Can you try running `sudo update-ca-certificates` before failing step?

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@ekallevig commented on GitHub (Jun 4, 2021):

I have tried that and it doesn't add any certs (same resulting error). I think this may be caused by the fact that I need to be on my company's VPN, which changes the cert issuer from Google to my company. Thinking I need to somehow install my company's ca cert in the runner store but I'm not sure where to get the cert and how it should be installed.

I've tried doing it this way without success:

1. export my company's root CA file (ie. Company Root CA.pem) from Keychain Access (macos)
2. convert cert file to .crt format

   openssl x509 -outform der -in Company\ Root\ CA.pem -out compnay-root-ca.crt
   

3. copying the cert into the runner and attempting to install it

   sudo apt-get install ca-certificates -y
   sudo cp ./company-root-ca.crt /usr/local/share/ca-certificates
   sudo update-ca-certificates
   

I'm not clear on:

• if that's the right certificate that is needed in the runner (or do i download the certificate that is sent when making a request to the domain?)
• if that's the correct way to install the cert

<!-- gh-comment-id:854810391 --> @ekallevig commented on GitHub (Jun 4, 2021): I have tried that and it doesn't add any certs (same resulting error). I think this may be caused by the fact that I need to be on my company's VPN, which changes the cert issuer from Google to my company. Thinking I need to somehow install my company's ca cert in the runner store but I'm not sure where to get the cert and how it should be installed. I've tried doing it this way without success: 1. export my company's root CA file (ie. `Company Root CA.pem`) from Keychain Access (macos) 2. convert cert file to .crt format ``` openssl x509 -outform der -in Company\ Root\ CA.pem -out compnay-root-ca.crt ``` 3. copying the cert into the runner and attempting to install it ``` sudo apt-get install ca-certificates -y sudo cp ./company-root-ca.crt /usr/local/share/ca-certificates sudo update-ca-certificates ``` I'm not clear on: * if that's the right certificate that is needed in the runner (or do i download the certificate that is sent when making a request to the domain?) * if that's the correct way to install the cert

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@ekallevig commented on GitHub (Jun 4, 2021):

I've managed to solve the issue. I was slightly off on the method for exporting the comopany root ca file.

1. find cert in keychain access (macos), right click and 'export' in .pem format
2. rename file from .pem to .crt
3. create a runner image with the .crt file included or add a step like this to copy file and install

     - name: Install company root ca cert for local vpn runs
       id: install-ca-cert
       if: ${{ env.ACT }}
       run: |
         sudo cp ./company-root-ca.crt /usr/local/share/ca-certificates
         sudo update-ca-certificates
   

<!-- gh-comment-id:854889789 --> @ekallevig commented on GitHub (Jun 4, 2021): I've managed to solve the issue. I was slightly off on the method for exporting the comopany root ca file. 1. find cert in keychain access (macos), right click and 'export' in .pem format 2. rename file from .pem to .crt 3. create a runner image with the .crt file included or add a step like this to copy file and install ```` - name: Install company root ca cert for local vpn runs id: install-ca-cert if: ${{ env.ACT }} run: | sudo cp ./company-root-ca.crt /usr/local/share/ca-certificates sudo update-ca-certificates ````

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@orcutt989 commented on GitHub (Jul 20, 2021):

I am having the same issue, but with running Pulumi from within the container. I have no special network configuration and this action works fine on GitHub.

<!-- gh-comment-id:883490355 --> @orcutt989 commented on GitHub (Jul 20, 2021): I am having the same issue, but with running Pulumi from within the container. I have no special network configuration and this action works fine on GitHub.

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Jul 20, 2021):

@orcutt989 please create new issue

<!-- gh-comment-id:883672267 --> @catthehacker commented on GitHub (Jul 20, 2021): @orcutt989 please create new issue

kerem commented 2026-03-01 21:43:34 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Jul 20, 2021):

Locking conversation here since the issue wasn't really a fault of act nor image, but a company certificate which we have no way of pulling nor detecting.
For anyone finding that issue as related to theirs, please create a new one and fill required information.

<!-- gh-comment-id:883679501 --> @catthehacker commented on GitHub (Jul 20, 2021): Locking conversation here since the issue wasn't really a fault of `act` nor image, but a company certificate which we have no way of pulling nor detecting. For anyone finding that issue as related to theirs, please create a new one and fill required information.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0

dependabot/go_modules/dependencies-08815e2262

mergify/configuration-deprecated-update

dependabot/github_actions/dependencies-a3a104477f

chore/simplify-ci-and-makefile

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

panekj/ci/improve-jobs

fix-skip-non-yaml-files-in-dir

normalize-pull-rebuild-flags

fix-no-recurse-by-default

2517-poor-error-for-incomplete-action-step

2472-make-use-new-action-cache-the-new-default-for-downloading-actions

act-tart

act-lxc

act-oidc

act-dind

avoid-slash-in-actor

dependabot/go_modules/github.com/docker/docker-26.1.4incompatible

meta-keep-filetime

local-repository-action-cache

pr-merger

update-docker-deps

follow_local_action_symlink

boltdb-lock-in-handler

use-socket-path

no-pull-no-rebuild

path-issues

fix/env

feat/podman

refactor/testdata

v0.2.87

v0.2.86

v0.2.85

v0.2.84

v0.2.83

v0.2.82

v0.2.81

v0.2.80

v0.2.79

v0.2.78

v0.2.77

v0.2.76

v0.2.75

v0.2.74

v0.2.73

v0.2.72

v0.2.71

v0.2.70

v0.2.69

v0.2.68

v0.2.67

v0.2.66

v0.2.65

v0.2.64

v0.2.63

v0.2.62

v0.2.61

v0.2.60

v0.2.59

v0.2.58

v0.2.57

v0.2.56

v0.2.55

v0.2.54

v0.2.53

v0.2.52

v0.2.51

v0.2.50

v0.2.49

v0.2.48

v0.2.47

v0.2.46

v0.2.45

v0.2.44

v0.2.43

v0.2.42

v0.2.41

v0.2.40

v0.2.39

v0.2.38

v0.2.37

v0.2.36

v0.2.35

v0.2.34

v0.2.33

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

area/action

  

area/cli

  

area/docs

  

area/image

  

area/runner

  

area/workflow

  

backlog

  

confirmed/not-planned

  

kind/bug

  

kind/discussion

  

kind/external

  

kind/feature-request

  

kind/question

  

meta/duplicate

  

meta/invalid

  

meta/need-more-info

  

meta/resolved

  

meta/wontfix

  

meta/workaround

  

needs-work

  

pull-request

Mirrored from GitHub Pull Request

  

review/not-planned

  

size/M

  

size/XL

  

size/XXL

  

stale

  

stale-exempt

No labels

area/action

area/cli

area/docs

area/image

area/runner

area/workflow

backlog

confirmed/not-planned

kind/bug

kind/discussion

kind/external

kind/feature-request

kind/question

meta/duplicate

meta/invalid

meta/need-more-info

meta/resolved

meta/wontfix

meta/workaround

needs-work

pull-request

review/not-planned

size/M

size/XL

size/XXL

stale

stale-exempt

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#454

No description provided.