Skip to content

Instantly share code, notes, and snippets.

@robertefreeman

robertefreeman/how-to-runner-self-sign.md

Created March 11, 2021 13:18
Show Gist options
  • Save robertefreeman/90907919af7f592d22f54243614c49eb to your computer and use it in GitHub Desktop.
Save robertefreeman/90907919af7f592d22f54243614c49eb to your computer and use it in GitHub Desktop.
Download ZIP
Self-Signed for Runners
Raw
how-to-runner-self-sign.md

Runner configuration when using a self-signed certificate

Using self-signed certificates is not recommended due to the configuration required on the runner to support them. If you do need to use a self-signed certificate, you will need to configure the certificate on each runner.

The correct steps for configuring the self-signed certificate will depend on how it is generated, and the platforms and technologies used on your runners (which may validate the certificate in different ways).

Some tips for successfully configuring self-signed certificates are included below. These steps can be taken before or after registering the runner.

Install the certificate

You will need to install the certificate on each runner machine.

For example, on Debian:

> host_or_ip=my-ghes.com

> openssl s_client -showcerts -connect $host_or_ip:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

> openssl x509 -in mycertfile.pem -inform PEM -out mycertfile.crt

> sudo mkdir /usr/share/ca-certificates/extra

> sudo cp mycertfile.crt /usr/share/ca-certificates/extra/

> sudo dpkg-reconfigure ca-certificates

> # The above command drops you into an in interactive prompt. You need to select the certificate file using <SPACEBAR>, and then press <ENTER> to complete the configuration

Set environment variable for Nodejs

Most actions are written in Javascript and run using Nodejs. Nodejs does not use the system certificate store.

You need to set an environment variable for the runner process. For example:

NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt

Environment variables are read when the self-hosted runner application starts, so you must set the environment variable before configuring or starting the self-hosted runner application. If your certificate configuration changes, you must restart the self-hosted runner application.

Using a .env file to set the environment variable

If setting environment variables is not practical, you can set the environment variables in a file named .env in the self-hosted runner application directory. For example, this might be necessary if you want to configure the runner application as a service under a system account. When the runner application starts, it reads the variables set in .env.

An example .env file is shown below:

NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt

Configuring certificates for Docker containers

If you use Docker container actions or service containers in your workflows, you might also need to install the certificate in your Docker image in addition to setting the above environment variables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment