If in a GitHub Actions workflow you try to check out a repository from an URL with a self-signed certificate or a certificate signed by a non-trusted certificate authority (CA), you will get this error:

request to <URL> failed, reason: self signed certificate in certificate chain

In this note i will show how to fix the self-signed certificate error in GitHub Actions by adding trusted CA certificates.

Cool Tip: Get a FREE Wildcard SSL/TLS Certificate from Let’s Encrypt! Read more →

Self-Signed Certificate in GitHub Actions

If you use GitHub Actions with self-hosted runners, you can resolve the “self signed certificate in certificate chain” error by starting the runner with the NODE_EXTRA_CA_CERTS environment variable that should point to a file with the CA certificates, for example:

$ cd /opt/github/actions-runner/2.289.3/
$ export NODE_EXTRA_CA_CERTS="/etc/pki/ca-trust/source/anchors/org-ca.crt"
$ ./run.sh

If you have configured the self-hosted runner application as a service, the NODE_EXTRA_CA_CERTS environment variable can be set in the service file as follows:

$ vi /etc/systemd/system/actions.runner._services.hostname.service
$ cat /etc/systemd/system/actions.runner._services.hostname.service
[Unit]
Description=GitHub Actions Runner (_services.hostname)
After=network.target

[Service]
ExecStart=/opt/github/actions-runner/2.289.3/runsvc.sh
WorkingDirectory=/opt/github/actions-runner/2.289.3
KillMode=process
KillSignal=SIGTERM
TimeoutStopSec=5min
Environment="NODE_EXTRA_CA_CERTS="/etc/pki/ca-trust/source/anchors/org-ca.crt"

[Install]
WantedBy=multi-user.target

$ systemctl daemon-reload
$ systemctl restart actions.runner._services.hostname.service

Cool Tip: How to get SSL certificate from a server (site’s URL)! Read more →

Server and CA certificates can be retrieved using this command:

$ echo | openssl s_client -showcerts -servername=example.tld -connect example.tld:443