Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: self-signed certificate in certificate chain #568

Closed
artem-shestakov opened this issue Jul 12, 2023 · 2 comments
Closed

Error: self-signed certificate in certificate chain #568

artem-shestakov opened this issue Jul 12, 2023 · 2 comments

Comments

@artem-shestakov
Copy link

Hi!
My GitLab uses self-signed certificate and plugin work only with NODE_TLS_REJECT_UNAUTHORIZED: 0 and plugin version 10.0.1. When I try use old plugin 10.0.1 or new plugin 12.0.3 and variables NODE_EXTRA_CA_CERTS=<path_to_CA_cert> or NODE_OPTIONS=--use-openssl-ca I get error self-signed certificate in certificate chain. When I use NODE_TLS_REJECT_UNAUTHORIZED: 0 and plugin 12.0.3 I get the same error too.

plugin NODE_TLS_REJECT_UNAUTHORIZED NODE_EXTRA_CA_CERTS NODE_OPTIONS=--use-openssl-ca Result
10.0.1 0 No No Ok
10.0.1 No Yes No Error
10.0.1 No No Yes Error
12.0.3 0 No No Error
12.0.3 No Yes No Error
12.0.3 No No Yes Error

Plugin version: 10.0.1 and 12.0.3
Conteiner image: node:20.4.0

My GitLab CI pipeline with NODE_EXTRA_CA_CERTS:

  variables:
    NODE_EXTRA_CA_CERTS: /usr/local/share/ca-certificates/myca.crt
    GIT_SSL_CAINFO: /usr/local/share/ca-certificates/myca.crt
  image: node:20.4.0
  before_script:
    - echo | openssl s_client -servername <my_gitlab> -connect <gitlab_url>:443 |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/myca.crt
  script:
    - npm install @semantic-release/[email protected] @semantic-release/[email protected]
    - npx semantic-release --generate-notes false --dry-run

or use NODE_OPTIONS=--use-openssl-ca

variables:
    NODE_OPTIONS: --use-openssl-ca
    GIT_SSL_CAINFO: /usr/local/share/ca-certificates/myca.crt
  image: node:20.4.0
  before_script:
    - apt-get update && apt-get install -y --no-install-recommends git-core ca-certificates
    - echo | openssl s_client -servername <my_gitlab> -connect <gitlab_url>:443 |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/myca.crt
    - update-ca-certificates
  script:
    - npm install @semantic-release/[email protected] @semantic-release/[email protected]
    - npx semantic-release --generate-notes false --dry-run

Error:

[9:22:17 AM] [semantic-release] › ✘  Failed step "verifyConditions" of plugin "@semantic-release/gitlab"
[9:22:17 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/exec"
[9:22:17 AM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/exec"
[9:22:17 AM] [semantic-release] › ✘  An error occurred while running semantic-release: RequestError: self-signed certificate in certificate chain
...
AggregateError: 
    RequestError: self-signed certificate in certificate chain
        at ClientRequest.<anonymous> (file:///builds/<my_project>/node_modules/got/dist/source/core/index.js:792:107)
    at file:///builds/<my_project>/node_modules/semantic-release/lib/plugins/pipeline.js:55:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async pluginsConfigAccumulator.<computed> [as verifyConditions] (file:///builds/<my_project>/node_modules/semantic-release/lib/plugins/index.js:87:11)
    at async run (file:///builds/<my_project>/node_modules/semantic-release/index.js:106:3)
    at async Module.default (file:///builds/<my_project>/node_modules/semantic-release/index.js:275:22)
    at async default (file:///builds/<my_project>/node_modules/semantic-release/cli.js:55:5) {
  errors: [
    RequestError: self-signed certificate in certificate chain
        at ClientRequest.<anonymous> (file:///builds/<my_project>/node_modules/got/dist/source/core/index.js:792:107)
        at Object.onceWrapper (node:events:627:26)
        at ClientRequest.emit (node:events:524:35)
        at TLSSocket.socketErrorListener (node:_http_client:495:9)
        at TLSSocket.emit (node:events:512:28)
        at emitErrorNT (node:internal/streams/destroy:151:8)
        at emitErrorCloseNT (node:internal/streams/destroy:116:3)
        at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
        at TLSSocket.onConnectSecure (node:_tls_wrap:1627:34)
        at TLSSocket.emit (node:events:512:28)
        at TLSSocket._finishInit (node:_tls_wrap:1038:8)
        at ssl.onhandshakedone (node:_tls_wrap:824:12) {
      input: undefined,
      code: 'SELF_SIGNED_CERT_IN_CHAIN',
@fgreinacher
Copy link
Contributor

@artem-shestakov I'd say this is a duplicate of #489. Not really much we can do on our end I'd say, sorry.

@artem-shestakov
Copy link
Author

Oh sorry! My mistake. I will follow that issue #489

@fgreinacher fgreinacher closed this as not planned Won't fix, can't repro, duplicate, stale Jul 14, 2023
@JonasSchubert JonasSchubert mentioned this issue May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fgreinacher @artem-shestakov