Using self-signed certificates is not recommended due to the configuration required on the runner to support them. If you do need to use a self-signed certificate, you will need to configure the certificate on each runner.
The correct steps for configuring the self-signed certificate will depend on how it is generated, and the platforms and technologies used on your runners (which may validate the certificate in different ways).
Some tips for successfully configuring self-signed certificates are included below. These steps can be taken before or after registering the runner.
You will need to install the certificate on each runner machine.
For example, on Debian:
> host_or_ip=my-ghes.com
> openssl s_client -showcerts -connect $host_or_ip:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
> openssl x509 -in mycertfile.pem -inform PEM -out mycertfile.crt
> sudo mkdir /usr/share/ca-certificates/extra
> sudo cp mycertfile.crt /usr/share/ca-certificates/extra/
> sudo dpkg-reconfigure ca-certificates
> # The above command drops you into an in interactive prompt. You need to select the certificate file using <SPACEBAR>, and then press <ENTER> to complete the configuration
Most actions are written in Javascript and run using Nodejs. Nodejs does not use the system certificate store.
You need to set an environment variable for the runner process. For example:
NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt
Environment variables are read when the self-hosted runner application starts, so you must set the environment variable before configuring or starting the self-hosted runner application. If your certificate configuration changes, you must restart the self-hosted runner application.
If setting environment variables is not practical, you can set the environment variables in a file named .env in the self-hosted runner application directory. For example, this might be necessary if you want to configure the runner application as a service under a system account. When the runner application starts, it reads the variables set in .env.
An example .env file is shown below:
NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt
If you use Docker container actions or service containers in your workflows, you might also need to install the certificate in your Docker image in addition to setting the above environment variables.