starred/act
1
0
Fork 0
mirror of https://github.com/nektos/act.git synced 2026-04-26 01:15:51 +03:00
Code Issues 289 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1878] ::error:: self signed certificate in certificate chain #910

New issue
Closed
opened 2026-03-01 21:47:22 +03:00 by kerem · 8 comments
kerem commented 2026-03-01 21:47:22 +03:00
Owner
Copy link

Originally created by @merlinpaypal on GitHub (Jun 23, 2023).
Original GitHub issue: https://github.com/nektos/act/issues/1878

Bug report info

act version:            0.2.46
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            DOCKER_HOST environment variable is not set
Sockets found:
        /var/run/docker.sock
        $HOME/.docker/run/docker.sock
Config files:           
        /Users/mepatterson/.actrc:
                --container-architecture linux/amd64
                -P ubuntu-latest=catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
        Go version:            go1.20.4
        Module path:           command-line-arguments
        Main version:          
        Main path:             
        Main checksum:         
        Build settings:
                -buildmode:           exe
                -compiler:            gc
                -ldflags:             -X main.version=0.2.46
                CGO_ENABLED:          1
                CGO_CFLAGS:           
                CGO_CPPFLAGS:         
                CGO_CXXFLAGS:         
                CGO_LDFLAGS:          
                GOARCH:               arm64
                GOOS:                 darwin
Docker Engine:
        Engine version:        24.0.2
        Engine runtime:        runc
        Cgroup version:        2
        Cgroup driver:         cgroupfs
        Storage driver:        overlay2
        Registry URI:          https://index.docker.io/v1/
        OS:                    Docker Desktop
        OS type:               linux
        OS version:            
        OS arch:               aarch64
        OS kernel:             5.15.49-linuxkit-pr
        OS CPU:                5
        OS memory:             7851 MB
        Security options:
                name=seccomp,profile=builtin
                name=cgroupns

Command used with act

act -j lintAndUnit

Describe issue

Erroring out with ::error::self signed certificate in certificate chain on a fairly simple step of actions/setup-node@v3.

I've turned off any VPN that I was using and I still get this same issue. I also disabled setting NODE_EXTRA_CA_CERTS. Though I wouldn't expect that to affect this runner either.

Link to GitHub repository

https://github.com/paypal/paypal-messaging-components/blob/develop/.github/workflows/core.yml

Workflow content

name: Lint, Unit, Non-snapshot tests
on:
    # allow for manual triggers
    workflow_dispatch: {}
    workflow_call: {}
    push:
        branches:
            - develop
    pull_request: {}

jobs:
    lintAndUnit:
        name: Lint and Unit Tests
        runs-on: ubuntu-latest
        steps:
            - name: Checkout repo
              uses: actions/checkout@v3
              with:
                  persist-credentials: false

            - name: Setup node
              uses: actions/setup-node@v1
              with:
                  node-version: 14

            - name: 📥 Download deps
              uses: bahmutov/npm-install@v1
              with:
                  useLockFile: false

            - name: Lint
              run: npm run lint

            - name: Unit Tests
              run: npm run test

    functionalNonSnapshot:
        name: Functional Non-Snapshot Tests
        runs-on: ubuntu-latest
        steps:
            - name: Checkout repo
              uses: actions/checkout@v3
              with:
                  persist-credentials: false

            - name: Setup node
              uses: actions/setup-node@v1
              with:
                  node-version: 14

            - name: 📥 Download deps
              uses: bahmutov/npm-install@v1
              with:
                  useLockFile: false

            - name: Run server
              run: ./.github/scripts/runServer.sh

            - name: Functional Non-Snapshot Tests
              run: npm run test:func:nosnaps

Relevant log output

[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🚀  Start image=catthehacker/ubuntu:act-latest
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker pull image=catthehacker/ubuntu:act-latest platform=linux/amd64 username= forcePull=true
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker create image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[]
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[]
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ☁  git clone 'https://github.com/actions/setup-node' # ref=v3
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ☁  git clone 'https://github.com/bahmutov/npm-install' # ref=v1
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ⭐ Run Main Checkout repo
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker cp src=/Users/mepatterson/code/messaging-components/. dst=/Users/mepatterson/code/messaging-components
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ✅  Success - Main Checkout repo
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ⭐ Run Main Setup node
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker cp src=/Users/mepatterson/.cache/act/actions-setup-node@v3/ dst=/var/run/act/actions/actions-setup-node@v3/
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   🐳  docker exec cmd=[node /var/run/act/actions/actions-setup-node@v3/dist/setup/index.js] user= workdir=
| Resolved .nvmrc as 16
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::isExplicit: 
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::explicit? false
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::isExplicit: 16.20.0
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::explicit? true
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::evaluating 0 versions
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::match not found
| Attempting to download 16...
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::No manifest cached
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::Getting manifest from actions/node-versions@main
| self signed certificate in certificate chain
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   💬  ::debug::Error: self signed certificate in certificate chain%0A    at TLSSocket.onConnectSecure (node:_tls_wrap:1539:34)%0A    at TLSSocket.emit (node:events:513:28)%0A    at TLSSocket._finishInit (node:_tls_wrap:953:8)%0A    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12)
| Falling back to download directly from Node
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ❗  ::error::self signed certificate in certificate chain
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests]   ❌  Failure - Main Setup node
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] exitcode '1': failure
[Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🏁  Job failed
Error: Job 'Lint and Unit Tests' failed

Additional information

.actrc file

--container-architecture linux/amd64
-P ubuntu-latest=catthehacker/ubuntu:act-latest
-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Originally created by @merlinpaypal on GitHub (Jun 23, 2023). Original GitHub issue: https://github.com/nektos/act/issues/1878 ### Bug report info ```plain text act version: 0.2.46 GOOS: darwin GOARCH: arm64 NumCPU: 10 Docker host: DOCKER_HOST environment variable is not set Sockets found: /var/run/docker.sock $HOME/.docker/run/docker.sock Config files: /Users/mepatterson/.actrc: --container-architecture linux/amd64 -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.20.4 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -buildmode: exe -compiler: gc -ldflags: -X main.version=0.2.46 CGO_ENABLED: 1 CGO_CFLAGS: CGO_CPPFLAGS: CGO_CXXFLAGS: CGO_LDFLAGS: GOARCH: arm64 GOOS: darwin Docker Engine: Engine version: 24.0.2 Engine runtime: runc Cgroup version: 2 Cgroup driver: cgroupfs Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Docker Desktop OS type: linux OS version: OS arch: aarch64 OS kernel: 5.15.49-linuxkit-pr OS CPU: 5 OS memory: 7851 MB Security options: name=seccomp,profile=builtin name=cgroupns ``` ### Command used with act ```sh act -j lintAndUnit ``` ### Describe issue Erroring out with `::error::self signed certificate in certificate chain` on a fairly simple step of `actions/setup-node@v3`. I've turned off any VPN that I was using and I still get this same issue. I also disabled setting `NODE_EXTRA_CA_CERTS`. Though I wouldn't expect that to affect this runner either. ### Link to GitHub repository https://github.com/paypal/paypal-messaging-components/blob/develop/.github/workflows/core.yml ### Workflow content ```yml name: Lint, Unit, Non-snapshot tests on: # allow for manual triggers workflow_dispatch: {} workflow_call: {} push: branches: - develop pull_request: {} jobs: lintAndUnit: name: Lint and Unit Tests runs-on: ubuntu-latest steps: - name: Checkout repo uses: actions/checkout@v3 with: persist-credentials: false - name: Setup node uses: actions/setup-node@v1 with: node-version: 14 - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - name: Lint run: npm run lint - name: Unit Tests run: npm run test functionalNonSnapshot: name: Functional Non-Snapshot Tests runs-on: ubuntu-latest steps: - name: Checkout repo uses: actions/checkout@v3 with: persist-credentials: false - name: Setup node uses: actions/setup-node@v1 with: node-version: 14 - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - name: Run server run: ./.github/scripts/runServer.sh - name: Functional Non-Snapshot Tests run: npm run test:func:nosnaps ``` ### Relevant log output ```sh [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🚀 Start image=catthehacker/ubuntu:act-latest [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🐳 docker pull image=catthehacker/ubuntu:act-latest platform=linux/amd64 username= forcePull=true [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🐳 docker create image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🐳 docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ☁ git clone 'https://github.com/actions/setup-node' # ref=v3 [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ☁ git clone 'https://github.com/bahmutov/npm-install' # ref=v1 [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ⭐ Run Main Checkout repo [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🐳 docker cp src=/Users/mepatterson/code/messaging-components/. dst=/Users/mepatterson/code/messaging-components [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ✅ Success - Main Checkout repo [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ⭐ Run Main Setup node [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🐳 docker cp src=/Users/mepatterson/.cache/act/actions-setup-node@v3/ dst=/var/run/act/actions/actions-setup-node@v3/ [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🐳 docker exec cmd=[node /var/run/act/actions/actions-setup-node@v3/dist/setup/index.js] user= workdir= | Resolved .nvmrc as 16 [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::isExplicit: [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::explicit? false [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::isExplicit: 16.20.0 [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::explicit? true [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::evaluating 0 versions [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::match not found | Attempting to download 16... [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::No manifest cached [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::Getting manifest from actions/node-versions@main | self signed certificate in certificate chain [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 💬 ::debug::Error: self signed certificate in certificate chain%0A at TLSSocket.onConnectSecure (node:_tls_wrap:1539:34)%0A at TLSSocket.emit (node:events:513:28)%0A at TLSSocket._finishInit (node:_tls_wrap:953:8)%0A at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12) | Falling back to download directly from Node [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ❗ ::error::self signed certificate in certificate chain [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] ❌ Failure - Main Setup node [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] exitcode '1': failure [Lint, Unit, Non-snapshot tests/Lint and Unit Tests] 🏁 Job failed Error: Job 'Lint and Unit Tests' failed ``` ### Additional information .actrc file ``` --container-architecture linux/amd64 -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 ```
kerem 2026-03-01 21:47:22 +03:00
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Dec 21, 2023):

Issue is stale and will be closed in 14 days unless there is new activity

<!-- gh-comment-id:1865300281 --> @github-actions[bot] commented on GitHub (Dec 21, 2023): Issue is stale and will be closed in 14 days unless there is new activity
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@dingo-d commented on GitHub (Feb 22, 2024):

I have the same thing

bug report output:

act version:            0.2.59
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            unix:///Users/dzoljom/.colima/default/docker.sock
Sockets found:
	$HOME/.colima/docker.sock
Config files:
	/Users/dzoljom/Library/Application Support/act/actrc:
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
	Go version:            go1.21.6
	Module path:           command-line-arguments
	Main version:
	Main path:
	Main checksum:
	Build settings:
		-buildmode:           exe
		-compiler:            gc
		-ldflags:             -X main.version=0.2.59
		DefaultGODEBUG:       panicnil=1
		CGO_ENABLED:          1
		CGO_CFLAGS:
		CGO_CPPFLAGS:
		CGO_CXXFLAGS:
		CGO_LDFLAGS:
		GOARCH:               arm64
		GOOS:                 darwin
Docker Engine:
	Engine version:        24.0.9
	Engine runtime:        runc
	Cgroup version:        2
	Cgroup driver:         systemd
	Storage driver:        overlay2
	Registry URI:          https://index.docker.io/v1/
	OS:                    Ubuntu 23.10
	OS type:               linux
	OS version:            23.10
	OS arch:               aarch64
	OS kernel:             6.5.0-15-generic
	OS CPU:                2
	OS memory:             1895 MB
	Security options:
		name=apparmor
		name=seccomp,profile=builtin
		name=cgroupns

The problem is that I am running act on a company laptop that inspects the TLS connections in the corporate network, so original certificates are replaced by the company ones.

How do I add the company CA to my root CA that will be passed to act?

The bizzare thing is, when I exec into the container created by act

cbe1fd82d5dc   catthehacker/ubuntu:act-latest   "tail -f /dev/null"   3 minutes ago   Up 3 minutes             act-Continuous-integration-checks-Syntax-errors-checks-8107544da945bdaf257e405c888977a9c013e14f50edbf39d04e06d933c87ea6

I can run the composer just fine 🤷🏼‍♂️

I tried running the command act -j phpcs --container-architecture linux/amd64 --container-options "-v /etc/ssl/certs:/etc/ssl/certs:ro" but I'm still getting the same error.

<!-- gh-comment-id:1958889643 --> @dingo-d commented on GitHub (Feb 22, 2024): I have the same thing bug report output: ```bash act version: 0.2.59 GOOS: darwin GOARCH: arm64 NumCPU: 10 Docker host: unix:///Users/dzoljom/.colima/default/docker.sock Sockets found: $HOME/.colima/docker.sock Config files: /Users/dzoljom/Library/Application Support/act/actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.21.6 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -buildmode: exe -compiler: gc -ldflags: -X main.version=0.2.59 DefaultGODEBUG: panicnil=1 CGO_ENABLED: 1 CGO_CFLAGS: CGO_CPPFLAGS: CGO_CXXFLAGS: CGO_LDFLAGS: GOARCH: arm64 GOOS: darwin Docker Engine: Engine version: 24.0.9 Engine runtime: runc Cgroup version: 2 Cgroup driver: systemd Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Ubuntu 23.10 OS type: linux OS version: 23.10 OS arch: aarch64 OS kernel: 6.5.0-15-generic OS CPU: 2 OS memory: 1895 MB Security options: name=apparmor name=seccomp,profile=builtin name=cgroupns ``` The problem is that I am running `act` on a company laptop that inspects the TLS connections in the corporate network, so original certificates are replaced by the company ones. How do I add the company CA to my root CA that will be passed to `act`? The bizzare thing is, when I exec into the container created by act ```bash cbe1fd82d5dc catthehacker/ubuntu:act-latest "tail -f /dev/null" 3 minutes ago Up 3 minutes act-Continuous-integration-checks-Syntax-errors-checks-8107544da945bdaf257e405c888977a9c013e14f50edbf39d04e06d933c87ea6 ``` I can run the composer just fine 🤷🏼‍♂️ I tried running the command `act -j phpcs --container-architecture linux/amd64 --container-options "-v /etc/ssl/certs:/etc/ssl/certs:ro"` but I'm still getting the same error.
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@jonmajorc commented on GitHub (Apr 12, 2024):

I know the issue is stale, but am hoping one of you found a solution to your problem and wouldn't mind posting back here! I am also on a company laptop and suspect the same issue.

<!-- gh-comment-id:2052025205 --> @jonmajorc commented on GitHub (Apr 12, 2024): I know the issue is stale, but am hoping one of you found a solution to your problem and wouldn't mind posting back here! I am also on a company laptop and suspect the same issue.
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@dingo-d commented on GitHub (Apr 15, 2024):

I had to ping my IT department to allow certain URLs, there was no other way.

<!-- gh-comment-id:2055678482 --> @dingo-d commented on GitHub (Apr 15, 2024): I had to ping my IT department to allow certain URLs, there was no other way.
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@mileserickson commented on GitHub (Aug 7, 2024):

I'm experiencing the same issue on a corporate machine that has Netskope.

INFO[0000] Using docker host 'unix:///Users/miles/.colima/default/docker.sock', and daemon socket 'unix:///Users/miles/.colima/default/docker.sock' 
[Deploy/deploy] 🚀  Start image=catthehacker/ubuntu:act-latest
[Deploy/deploy]   🐳  docker pull image=catthehacker/ubuntu:act-latest platform=linux/amd64 username= forcePull=true
[Deploy/deploy]   🐳  docker create image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] network="host"
[Deploy/deploy]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] network="host"
[Deploy/deploy]   🐳  docker exec cmd=[node --no-warnings -e console.log(process.execPath)] user= workdir=
[Deploy/deploy]   ☁  git clone 'https://github.com/actions/setup-python' # ref=v2
[Deploy/deploy] Non-terminating error while running 'git clone': some refs were not updated
[Deploy/deploy] ⭐ Run Main Checkout code
[Deploy/deploy]   🐳  docker cp src=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers/. dst=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers
[Deploy/deploy]   ✅  Success - Main Checkout code
[Deploy/deploy] ⭐ Run Main Set up Python
[Deploy/deploy]   🐳  docker cp src=/Users/miles/.cache/act/actions-setup-python@v2/ dst=/var/run/act/actions/actions-setup-python@v2/
[Deploy/deploy]   🐳  docker exec cmd=[/opt/acttoolcache/node/18.20.4/x64/bin/node /var/run/act/actions/actions-setup-python@v2/dist/setup/index.js] user= workdir=
[Deploy/deploy]   💬  ::debug::Semantic version spec of 3.x is 3.x
[Deploy/deploy]   💬  ::debug::isExplicit: 
[Deploy/deploy]   💬  ::debug::explicit? false
[Deploy/deploy]   💬  ::debug::evaluating 0 versions
[Deploy/deploy]   💬  ::debug::match not found
| Version 3.x was not found in the local cache
[Deploy/deploy]   ❗  ::error::self-signed certificate in certificate chain
[Deploy/deploy]   ❌  Failure - Main Set up Python
[Deploy/deploy] exitcode '1': failure
[Deploy/deploy] 🏁  Job failed
Error: Job 'deploy' failed

Has anyone found a workaround?

<!-- gh-comment-id:2273623860 --> @mileserickson commented on GitHub (Aug 7, 2024): I'm experiencing the same issue on a corporate machine that has Netskope. ``` INFO[0000] Using docker host 'unix:///Users/miles/.colima/default/docker.sock', and daemon socket 'unix:///Users/miles/.colima/default/docker.sock' [Deploy/deploy] 🚀 Start image=catthehacker/ubuntu:act-latest [Deploy/deploy] 🐳 docker pull image=catthehacker/ubuntu:act-latest platform=linux/amd64 username= forcePull=true [Deploy/deploy] 🐳 docker create image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] network="host" [Deploy/deploy] 🐳 docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["tail" "-f" "/dev/null"] cmd=[] network="host" [Deploy/deploy] 🐳 docker exec cmd=[node --no-warnings -e console.log(process.execPath)] user= workdir= [Deploy/deploy] ☁ git clone 'https://github.com/actions/setup-python' # ref=v2 [Deploy/deploy] Non-terminating error while running 'git clone': some refs were not updated [Deploy/deploy] ⭐ Run Main Checkout code [Deploy/deploy] 🐳 docker cp src=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers/. dst=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers [Deploy/deploy] ✅ Success - Main Checkout code [Deploy/deploy] ⭐ Run Main Set up Python [Deploy/deploy] 🐳 docker cp src=/Users/miles/.cache/act/actions-setup-python@v2/ dst=/var/run/act/actions/actions-setup-python@v2/ [Deploy/deploy] 🐳 docker exec cmd=[/opt/acttoolcache/node/18.20.4/x64/bin/node /var/run/act/actions/actions-setup-python@v2/dist/setup/index.js] user= workdir= [Deploy/deploy] 💬 ::debug::Semantic version spec of 3.x is 3.x [Deploy/deploy] 💬 ::debug::isExplicit: [Deploy/deploy] 💬 ::debug::explicit? false [Deploy/deploy] 💬 ::debug::evaluating 0 versions [Deploy/deploy] 💬 ::debug::match not found | Version 3.x was not found in the local cache [Deploy/deploy] ❗ ::error::self-signed certificate in certificate chain [Deploy/deploy] ❌ Failure - Main Set up Python [Deploy/deploy] exitcode '1': failure [Deploy/deploy] 🏁 Job failed Error: Job 'deploy' failed ``` Has anyone found a workaround?
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@ChristopherHX commented on GitHub (Aug 7, 2024):

@mileserickson node is ignoring the system cert store

I suggest to add env NODE_EXTRA_CA_CERTS to point to your cert bundle file

can be done via --env as well, if you put it into your repo dir depends on chevkoit beeing the first doing network stuff

so act --env NODE_EXTRA_CA_CERTS=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers/certs.pem

There is some env to skip tls validation in node as well, don't rember it as it is unsecure.

Tbh. you should create your own docker image with all the certs and that env and use --pull=false to use it

<!-- gh-comment-id:2273906555 --> @ChristopherHX commented on GitHub (Aug 7, 2024): @mileserickson node is ignoring the system cert store I suggest to add env `NODE_EXTRA_CA_CERTS` to point to your cert bundle file can be done via `--env` as well, if you put it into your repo dir depends on chevkoit beeing the first doing network stuff so `act --env NODE_EXTRA_CA_CERTS=/Users/miles/work/github.com/Tractor-Supply-EA/athena-servers/certs.pem` There is some env to skip tls validation in node as well, don't rember it as it is unsecure. Tbh. you should create your own docker image with all the certs and that env and use --pull=false to use it
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@GeorgeGkinis commented on GitHub (Nov 22, 2024):

Thanks to @ChristopherHX I was able to run (insecurely) using:

act --env NODE_TLS_REJECT_UNAUTHORIZED=0
<!-- gh-comment-id:2494617685 --> @GeorgeGkinis commented on GitHub (Nov 22, 2024): Thanks to @ChristopherHX I was able to run (insecurely) using: ``` act --env NODE_TLS_REJECT_UNAUTHORIZED=0 ```
kerem commented 2026-03-01 21:47:23 +03:00
Author
Owner
Copy link

@kyluca commented on GitHub (Sep 24, 2025):

Ran into the same issue as above.

Took a while to figure out but the workaround I'm currently using is:

  1. Build a local image that includes the Netskope cert (assuming you already have it on your system)
  2. Tell act to use that in place of ubuntu-latest

Dockerfile

FROM catthehacker/ubuntu:act-latest

COPY certs/* /usr/local/share/ca-certificates/
RUN update-ca-certificates

# Unfortunately this setting is only available on Node 24.x
# ENV NODE_USE_SYSTEM_CA=1
# Update this filepath to your desired filename
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/nscacert.crt

Prepare the build context

mkdir certs
cp -r /usr/local/share/ca-certificates/* certs/

Build the image

docker build -f Dockerfile -t act-local .

Use it with act

act -P ubuntu-latest=act-local --pull=false
<!-- gh-comment-id:3326641029 --> @kyluca commented on GitHub (Sep 24, 2025): Ran into the same issue as above. Took a while to figure out but the workaround I'm currently using is: 1. Build a local image that includes the Netskope cert (assuming you already have it on your system) 2. Tell `act` to use that in place of `ubuntu-latest` ### Dockerfile ``` FROM catthehacker/ubuntu:act-latest COPY certs/* /usr/local/share/ca-certificates/ RUN update-ca-certificates # Unfortunately this setting is only available on Node 24.x # ENV NODE_USE_SYSTEM_CA=1 # Update this filepath to your desired filename ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/nscacert.crt ``` ### Prepare the build context ``` mkdir certs cp -r /usr/local/share/ca-certificates/* certs/ ``` ### Build the image ``` docker build -f Dockerfile -t act-local . ``` ### Use it with act ``` act -P ubuntu-latest=act-local --pull=false ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0
dependabot/go_modules/dependencies-08815e2262
mergify/configuration-deprecated-update
dependabot/github_actions/dependencies-a3a104477f
chore/simplify-ci-and-makefile
dependabot/go_modules/golang.org/x/crypto-0.45.0
dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0
panekj/ci/improve-jobs
fix-skip-non-yaml-files-in-dir
normalize-pull-rebuild-flags
fix-no-recurse-by-default
2517-poor-error-for-incomplete-action-step
2472-make-use-new-action-cache-the-new-default-for-downloading-actions
act-tart
act-lxc
act-oidc
act-dind
avoid-slash-in-actor
dependabot/go_modules/github.com/docker/docker-26.1.4incompatible
meta-keep-filetime
local-repository-action-cache
pr-merger
update-docker-deps
follow_local_action_symlink
boltdb-lock-in-handler
use-socket-path
no-pull-no-rebuild
path-issues
fix/env
feat/podman
refactor/testdata
v0.2.87
v0.2.86
v0.2.85
v0.2.84
v0.2.83
v0.2.82
v0.2.81
v0.2.80
v0.2.79
v0.2.78
v0.2.77
v0.2.76
v0.2.75
v0.2.74
v0.2.73
v0.2.72
v0.2.71
v0.2.70
v0.2.69
v0.2.68
v0.2.67
v0.2.66
v0.2.65
v0.2.64
v0.2.63
v0.2.62
v0.2.61
v0.2.60
v0.2.59
v0.2.58
v0.2.57
v0.2.56
v0.2.55
v0.2.54
v0.2.53
v0.2.52
v0.2.51
v0.2.50
v0.2.49
v0.2.48
v0.2.47
v0.2.46
v0.2.45
v0.2.44
v0.2.43
v0.2.42
v0.2.41
v0.2.40
v0.2.39
v0.2.38
v0.2.37
v0.2.36
v0.2.35
v0.2.34
v0.2.33
v0.2.32
v0.2.31
v0.2.30
v0.2.29
v0.2.28
v0.2.27
v0.2.26
v0.2.25
v0.2.24
v0.2.23
v0.2.22
v0.2.21
v0.2.20
v0.2.19
v0.2.18
v0.2.17
v0.2.16
v0.2.15
v0.2.14
v0.2.13
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
area/action

   
area/cli

   
area/docs

   
area/image

   
area/runner

   
area/workflow

   
backlog

   
confirmed/not-planned

   
kind/bug

   
kind/discussion

   
kind/external

   
kind/feature-request

   
kind/question

   
meta/duplicate

   
meta/invalid

   
meta/need-more-info

   
meta/resolved

   
meta/wontfix

   
meta/workaround

   
needs-work

   
pull-request

Mirrored from GitHub Pull Request

  
review/not-planned

   
size/M

   
size/XL

   
size/XXL

   
stale

   
stale-exempt
No labels
area/action
area/cli
area/docs
area/image
area/runner
area/workflow
backlog
confirmed/not-planned
kind/bug
kind/discussion
kind/external
kind/feature-request
kind/question
meta/duplicate
meta/invalid
meta/need-more-info
meta/resolved
meta/wontfix
meta/workaround
needs-work
pull-request
review/not-planned
size/M
size/XL
size/XXL
stale
stale-exempt
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/act#910
No description provided.