github自托管动作跑步者git lfs失败x509证书由未知当局签署
我正在尝试创建一个在Windows Server自托管跑步者上运行的GitHub操作,并且我在结帐失败的LFS下载部分中,
我使用的
- uses: actions/checkout@v3
with:
lfs: true
是正常代码的结帐,但是当它到达时, LFS下载步骤我收到了很多有关X509:未知权限签署的证书的消息。
lfs:获取“ https://github-cloud.githubusercontent.com/alambic/details_changed_to_to_to_to_the_innecent”:x509:由Unknownionate签署的证书
自载的跑步者在一个范围内,是一个遇到的域名,该领域是询问自己的https https and and tockates https and tockates https and tockate https and tockats https and tockits https and inserts tockits https。链条中的证书,所以我猜想未知的权限是该证书,但我不知道该证书需要在哪里信任,以便一切正常工作。
证书由OS信任,并通过组策略安装在证书存储中,但是Git LFS似乎正在验证证书链与该链条分开,并且无论如何都会抱怨,因为证书是出乎意料的。
我看到的一个常见解决方案只是关闭SSL检查,但这就像是一个临时的骇客,而不是真正的解决方案。我希望这可以与所有安全性一起工作。
另外,这是在运行TeamCity的服务器上运行的,TeamCity GitHub配置能够从同一家服务器中使用LFS克隆回购,因此这些问题位于设置的GitHub Action Runner环境中。
I am trying to create a GitHub action that runs on a windows server self-hosted runner and I'm stuck on my checkout failing at the LFS download portion
I'm using
- uses: actions/checkout@v3
with:
lfs: true
The checkout for the normal code works fine, but when it gets to the LFS download step I get a lot of messages complaining about x509: certificate signed by unknown authority.
LFS: Get "https://github-cloud.githubusercontent.com/alambic/details_changed_to_protect_the_innocent": x509: certificate signed by unknown authority
The self-hosted runner is on a domain that is behind a firewall that interrogates https traffic and inserts its own certificate into the chain, so I'm guessing that the unknown authority is that certificate, but I don't know where that certificate needs to be trusted so that things work.
The certificate is trusted by the OS and is installed in the certificate store through a group policy, but it seems that git LFS is verifying the certificate chain separate from that and complains anyway because the certificate is unexpected.
A common solution I've seen floating around for things like this is just turn off SSL checking, but that feels like just a temporary hack and not a real solution. I would like for this to work with all security in place.
As an additional note, this is running on a server that is also running TeamCity, and the TeamCity GitHub config is able to clone repos with LFS from that same server, so these problems are just inside of the GitHub action runner environment that gets set up.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于防火墙仅将其证书插入HTTPS流量中,因此我能够使用SSH-KEY使事情正常工作。我添加了私钥作为秘密和公共密钥,用于仓库的部署密钥,现在一切正常。
Since the firewall only inserts its certificate into https traffic, I was able to get things working using an ssh-key. I added the private key as a secret and the public key to the repo's deploy keys, and now everything is working as expected.