Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0 on Ubuntu 24.x, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." #3505
Description
The runner fails to authenticate with Github when using the arm runner in an Ubuntu 24.x based container. Logs indicate a "The remote certificate is invalid because of errors in the certificate chain: NotTimeValid" error. This appears to be due to arm32 Y2038 compatibility issues with the underlying Ubuntu/Debian operating systems moving to 64-bit time.
Fixes are in .Net 9.0, but will not be backported to .Net 8.0 as per dotnet/core#9285
See:
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410
Working patch (Just adjusting to use .Net 9.0):
satmandu#1
I requested a backport at dotnet/runtime#109161 but it's clear that this isn't going to happen and that for newer linux distribution based usage on arm32 .Net 9.0 will be needed.
This is what I see:
docker@7f94f0525ad7:/$ /start.sh
--------------------------------------------------------------------------------
| ____ _ _ _ _ _ _ _ _ |
| / ___(_) |_| | | |_ _| |__ / \ ___| |_(_) ___ _ __ ___ |
| | | _| | __| |_| | | | | '_ \ / _ \ / __| __| |/ _ \| '_ \/ __| |
| | |_| | | |_| _ | |_| | |_) | / ___ \ (__| |_| | (_) | | | \__ \ |
| \____|_|\__|_| |_|\__,_|_.__/ /_/ \_\___|\__|_|\___/|_| |_|___/ |
| |
| Self-hosted runner registration |
| |
--------------------------------------------------------------------------------
# Authentication
The SSL connection could not be established, see inner exception.
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...
docker@7f94f0525ad7:/$ cat start.sh
#!/bin/bash
ORGANIZATION=$ORGANIZATION
ACCESS_TOKEN=$ACCESS_TOKEN
cd /home/docker/actions-runner
export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0
./config.sh --url https://github.com/${ORGANIZATION} --token ${ACCESS_TOKEN}
cleanup() {
echo "Removing runner..."
./config.sh remove --unattended --token ${ACCESS_TOKEN}
}
trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM
./run.sh & wait $!
Digging in I see this error when running ./config.sh --check --url https://github.com/${ORGANIZATION} --pat ${ACCESS_TOKEN} (with DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 set):
docker@7f94f0525ad7:~/actions-runner$ ./config.sh --check --url https://github.com/${ORGANIZATION} --pat ${ACCESS_TOKEN}
**********************************************************************************************************************
** Check: Internet Connection
** Description: Check if the Actions runner has internet access.
**********************************************************************************************************************
** **
** F A I L **
** **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/InternetCheck_20241011-161958-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/internet.md
**********************************************************************************************************************
**********************************************************************************************************************
** Check: GitHub Actions Connection
** Description: Check if the Actions runner has access to the GitHub Actions service.
**********************************************************************************************************************
** **
** F A I L **
** **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/ActionsCheck_20241011-161958-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/actions.md
**********************************************************************************************************************
**********************************************************************************************************************
** Check: Git Certificate/Proxy Validation
** Description: Check if the Git CLI can access GitHub.com or GitHub Enterprise Server.
**********************************************************************************************************************
** **
** P A S S **
** **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/GitCheck_20241011-161958-utc.log
**********************************************************************************************************************
Looking at one of these InternetCheck logs in more detail:
w/o DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 set:
2024-10-11T16:28:15.9689744Z ***************************************************************************************************************
2024-10-11T16:28:15.9832297Z ***************************************************************************************************************
2024-10-11T16:28:15.9832694Z **** ****
2024-10-11T16:28:15.9832709Z **** Try DNS lookup for api.github.com
2024-10-11T16:28:15.9834863Z **** ****
2024-10-11T16:28:15.9834879Z ***************************************************************************************************************
2024-10-11T16:28:15.9899717Z Resolved DNS for api.github.com to '140.82.114.6'
2024-10-11T16:28:15.9886904Z ***************************************************************************************************************
2024-10-11T16:28:15.9886976Z **** ****
2024-10-11T16:28:15.9886990Z **** Try ping api.github.com
2024-10-11T16:28:15.9887121Z **** ****
2024-10-11T16:28:15.9887133Z ***************************************************************************************************************
2024-10-11T16:28:16.0345088Z Ping api.github.com (140.82.114.6) succeed within to '10 ms'
2024-10-11T16:28:15.9968608Z ***************************************************************************************************************
2024-10-11T16:28:15.9968695Z **** ****
2024-10-11T16:28:15.9968710Z **** Send HTTPS Request (GET) to https://api.github.com
2024-10-11T16:28:15.9968724Z **** ****
2024-10-11T16:28:15.9968735Z ***************************************************************************************************************
2024-10-11T16:28:16.0354893Z [START System.Net.Http - RequestStart]
2024-10-11T16:28:16.0365428Z https
2024-10-11T16:28:16.0365778Z api.github.com
2024-10-11T16:28:16.0365928Z 443
2024-10-11T16:28:16.0365961Z /
2024-10-11T16:28:16.0366030Z 1
2024-10-11T16:28:16.0366049Z 1
2024-10-11T16:28:16.0366071Z 0
2024-10-11T16:28:16.0366194Z [END System.Net.Http - RequestStart]
2024-10-11T16:28:16.0464598Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0464944Z 63062333
2024-10-11T16:28:16.0464982Z 0
2024-10-11T16:28:16.0465014Z 0
2024-10-11T16:28:16.0465031Z .ctor
2024-10-11T16:28:16.0465047Z HttpConnectionPool https://api.github.com:443
2024-10-11T16:28:16.0465107Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0510496Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0510674Z 63062333
2024-10-11T16:28:16.0510712Z 0
2024-10-11T16:28:16.0510731Z 0
2024-10-11T16:28:16.0510749Z CheckForHttp11ConnectionInjection
2024-10-11T16:28:16.0510767Z Available HTTP/1.1 connections: 0, Requests in the queue: 1, Pending HTTP/1.1 connections: 0, Total associated HTTP/1.1 connections: 0, Max HTTP/1.1 connection limit: 2147483647.
2024-10-11T16:28:16.0510782Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0513230Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0513319Z 63062333
2024-10-11T16:28:16.0513354Z 0
2024-10-11T16:28:16.0513375Z 0
2024-10-11T16:28:16.0513392Z GetHttp11ConnectionAsync
2024-10-11T16:28:16.0513439Z No available HTTP/1.1 connections; request queued.
2024-10-11T16:28:16.0513457Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0516660Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0516837Z 63062333
2024-10-11T16:28:16.0516870Z 0
2024-10-11T16:28:16.0516889Z 0
2024-10-11T16:28:16.0516908Z AddHttp11ConnectionAsync
2024-10-11T16:28:16.0516928Z Creating new HTTP/1.1 connection for pool.
2024-10-11T16:28:16.0516943Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0782091Z [START System.Net.Security - HandshakeStart]
2024-10-11T16:28:16.0782251Z False
2024-10-11T16:28:16.0782282Z api.github.com
2024-10-11T16:28:16.0782301Z [END System.Net.Security - HandshakeStart]
2024-10-11T16:28:16.0997788Z [START Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.0997995Z SslStream#41622463
2024-10-11T16:28:16.0998040Z Tls:ClientHello[288] TargetName='api.github.com' SupportedVersion='Tls, Tls12, Tls13' ApplicationProtocols='None'
2024-10-11T16:28:16.0998075Z 1
2024-10-11T16:28:16.0998091Z [END Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1108168Z [START Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1108338Z SslStream#41622463
2024-10-11T16:28:16.1108368Z Tls12:ChangeCipherSpec[1]
2024-10-11T16:28:16.1108399Z 0
2024-10-11T16:28:16.1108419Z [END Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1321056Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificate]
2024-10-11T16:28:16.1321470Z [Version]
2024-10-11T16:28:16.1321495Z V3
2024-10-11T16:28:16.1321509Z
2024-10-11T16:28:16.1321522Z [Subject]
2024-10-11T16:28:16.1321533Z CN=*.github.com
2024-10-11T16:28:16.1321543Z Simple Name: *.github.com
2024-10-11T16:28:16.1321552Z DNS Name: *.github.com
2024-10-11T16:28:16.1321658Z
2024-10-11T16:28:16.1321670Z [Issuer]
2024-10-11T16:28:16.1321680Z CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
2024-10-11T16:28:16.1321691Z Simple Name: Sectigo ECC Domain Validation Secure Server CA
2024-10-11T16:28:16.1321717Z DNS Name: Sectigo ECC Domain Validation Secure Server CA
2024-10-11T16:28:16.1321728Z
2024-10-11T16:28:16.1321738Z [Serial Number]
2024-10-11T16:28:16.1321748Z 008BDC0FFF54772FAAD173273F23362AAF
2024-10-11T16:28:16.1321758Z
2024-10-11T16:28:16.1321767Z [Not Before]
2024-10-11T16:28:16.1321776Z 03/07/2024 00:00:00
2024-10-11T16:28:16.1321785Z
2024-10-11T16:28:16.1321794Z [Not After]
2024-10-11T16:28:16.1321805Z 03/07/2025 23:59:59
2024-10-11T16:28:16.1321841Z
2024-10-11T16:28:16.1321913Z [Thumbprint]
2024-10-11T16:28:16.1321923Z 0DF6EC50FAEDAE6E13AF829452F7111B0ACF7C20
2024-10-11T16:28:16.1321933Z
2024-10-11T16:28:16.1321942Z [Signature Algorithm]
2024-10-11T16:28:16.1321951Z sha256ECDSA(1.2.840.10045.4.3.2)
2024-10-11T16:28:16.1321961Z
2024-10-11T16:28:16.1321970Z [Public Key]
2024-10-11T16:28:16.1321979Z Algorithm: ECC
2024-10-11T16:28:16.1321988Z Length:
2024-10-11T16:28:16.1321997Z Key Blob: 0470031849449B010A4133A3093799110F9815A71BCA420A43E234388D8D42A8D39E58FEDF3A49FE3F176226AEFA42FE5B3E6BF7B53C43EA9961A0D0D80E886F32
2024-10-11T16:28:16.1322007Z Parameters: 06082A8648CE3D030107
2024-10-11T16:28:16.1322016Z
2024-10-11T16:28:16.1322025Z [Extensions]
2024-10-11T16:28:16.1322034Z * X509v3 Authority Key Identifier(2.5.29.35):
2024-10-11T16:28:16.1322043Z F6:85:0A:3B:11:86:E1:04:7D:0E:AA:0B:2C:D2:EE:CC:64:7B:7B:AE
2024-10-11T16:28:16.1322053Z * X509v3 Subject Key Identifier(2.5.29.14):
2024-10-11T16:28:16.1322272Z 2C:D5:9F:32:48:98:6A:F9:B9:5B:BD:65:51:E9:E9:75:D7:20:B1:96
2024-10-11T16:28:16.1322326Z * X509v3 Key Usage(2.5.29.15):
2024-10-11T16:28:16.1322337Z Digital Signature
2024-10-11T16:28:16.1322347Z * X509v3 Basic Constraints(2.5.29.19):
2024-10-11T16:28:16.1322356Z CA:FALSE
2024-10-11T16:28:16.1322366Z * X509v3 Extended Key Usage(2.5.29.37):
2024-10-11T16:28:16.1322375Z TLS Web Server Authentication, TLS Web Client Authentication
2024-10-11T16:28:16.1322385Z * X509v3 Certificate Policies(2.5.29.32):
2024-10-11T16:28:16.1322395Z Policy: 1.3.6.1.4.1.6449.1.2.2.7
2024-10-11T16:28:16.1322404Z
2024-10-11T16:28:16.1322413Z * Authority Information Access(1.3.6.1.5.5.7.1.1):
2024-10-11T16:28:16.1322423Z CA Issuers - URI:http://crt.sectigo.com/SectigoECCDomainValidationSecureServerCA.crt
2024-10-11T16:28:16.1322433Z
2024-10-11T16:28:16.1322442Z * CT Precertificate SCTs(1.3.6.1.4.1.11129.2.4.2):
2024-10-11T16:28:16.1322451Z Signed Certificate Timestamp:
2024-10-11T16:28:16.1322460Z
2024-10-11T16:28:16.1322469Z * X509v3 Subject Alternative Name(2.5.29.17):
2024-10-11T16:28:16.1322479Z DNS:*.github.com, DNS:github.com
2024-10-11T16:28:16.1322488Z
2024-10-11T16:28:16.1322550Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificate]
2024-10-11T16:28:16.2478618Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2478803Z 31364015
2024-10-11T16:28:16.2478836Z Remote certificate has errors:
2024-10-11T16:28:16.2478854Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2479095Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2479139Z 31364015
2024-10-11T16:28:16.2479174Z ChainStatus: certificate has expired
2024-10-11T16:28:16.2479188Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2495744Z [START System.Net.Security - HandshakeFailed]
2024-10-11T16:28:16.2495915Z False
2024-10-11T16:28:16.2497157Z 171.2801
2024-10-11T16:28:16.2497182Z The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2497199Z [END System.Net.Security - HandshakeFailed]
2024-10-11T16:28:16.2497377Z [START System.Net.Security - HandshakeStop]
2024-10-11T16:28:16.2497416Z 0
2024-10-11T16:28:16.2497434Z [END System.Net.Security - HandshakeStop]
2024-10-11T16:28:16.2646056Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2646217Z 63062333
2024-10-11T16:28:16.2646257Z 0
2024-10-11T16:28:16.2646277Z 0
2024-10-11T16:28:16.2646299Z HandleHttp11ConnectionFailure
2024-10-11T16:28:16.2646362Z HTTP/1.1 connection failed: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2646375Z ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2646397Z at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
2024-10-11T16:28:16.2646408Z at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
2024-10-11T16:28:16.2646438Z at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
2024-10-11T16:28:16.2646449Z at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646459Z at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646473Z --- End of inner exception stack trace ---
2024-10-11T16:28:16.2646483Z at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646493Z at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646503Z at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646514Z at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
2024-10-11T16:28:16.2646534Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2665125Z [START System.Net.Http - RequestLeftQueue]
2024-10-11T16:28:16.2665448Z 215.0822
2024-10-11T16:28:16.2665501Z 1
2024-10-11T16:28:16.2665522Z 1
2024-10-11T16:28:16.2665539Z [END System.Net.Http - RequestLeftQueue]
2024-10-11T16:28:16.2685936Z [START System.Net.Http - RequestFailed]
2024-10-11T16:28:16.2686083Z The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2686115Z [END System.Net.Http - RequestFailed]
2024-10-11T16:28:16.2706906Z [START Private.InternalDiagnostics.System.Net.Http - ErrorMessage]
2024-10-11T16:28:16.2707005Z HttpClient#66166301
2024-10-11T16:28:16.2707029Z HandleFailure
2024-10-11T16:28:16.2707100Z System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2707112Z ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2707251Z at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
2024-10-11T16:28:16.2707264Z at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
2024-10-11T16:28:16.2707282Z at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
2024-10-11T16:28:16.2707292Z at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707303Z at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707338Z --- End of inner exception stack trace ---
2024-10-11T16:28:16.2707385Z at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707396Z at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707407Z at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707417Z at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
2024-10-11T16:28:16.2707427Z at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
2024-10-11T16:28:16.2707444Z at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707491Z at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707503Z at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707514Z at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
2024-10-11T16:28:16.2707535Z [END Private.InternalDiagnostics.System.Net.Http - ErrorMessage]
2024-10-11T16:28:16.2708732Z [START System.Net.Http - RequestStop]
2024-10-11T16:28:16.2708829Z -1
2024-10-11T16:28:16.2708847Z [END System.Net.Http - RequestStop]
2024-10-11T16:28:16.2732063Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2732173Z 63062333
2024-10-11T16:28:16.2732203Z 0
2024-10-11T16:28:16.2732230Z 0
2024-10-11T16:28:16.2732256Z Dispose
2024-10-11T16:28:16.2732274Z Disposing pool.
2024-10-11T16:28:16.2732287Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2736490Z ***************************************************************************************************************
2024-10-11T16:28:16.2736514Z **** ****
2024-10-11T16:28:16.2736531Z **** Https request 'GET' to https://api.github.com failed with error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at GitHub.Runner.Listener.Check.CheckUtil.CheckHttpsGetRequests(IHostContext hostContext, String url, String pat, String expectedHeader)
2024-10-11T16:28:16.2747472Z **** ****
2024-10-11T16:28:16.2747494Z ***************************************************************************************************************
To Reproduce
See Docker image setup info below.
Runner Version and Platform
v2.320 (though v2.319 didn't work either.)
OS of the machine running the runner? Linux (Raspberry PI OS arm64 with an armv7l/armhf docker container cotnaining the runner.)
Job Log Output
--------------------------------------------------------------------------------
| ____ _ _ _ _ _ _ _ _ |
| / ___(_) |_| | | |_ _| |__ / \ ___| |_(_) ___ _ __ ___ |
| | | _| | __| |_| | | | | '_ \ / _ \ / __| __| |/ _ \| '_ \/ __| |
| | |_| | | |_| _ | |_| | |_) | / ___ \ (__| |_| | (_) | | | \__ \ |
| \____|_|\__|_| |_|\__,_|_.__/ /_/ \_\___|\__|_|\___/|_| |_|___/ |
| |
| Self-hosted runner registration |
| |
--------------------------------------------------------------------------------
# Authentication
The SSL connection could not be established, see inner exception.
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...
Runner and Worker's Diagnostic Logs
Looking at the _diag Runner logs, I see the same thing:
[2024-10-11 13:47:36Z ERR ConfigurationManager] Failed to get tenant credentials -- Attempt: 1
[2024-10-11 13:47:36Z ERR ConfigurationManager] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at GitHub.Runner.Listener.Configuration.ConfigurationManager.GetTenantCredential(String githubUrl, String githubToken, String runnerEvent)
[2024-10-11 13:47:36Z ERR ConfigurationManager] #####################################################
[2024-10-11 13:47:36Z ERR ConfigurationManager] System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
This is the Dockerfile I am using:
# install python and the packages the your code depends on along with jq so we can parse JSON
# add additional packages as necessary
RUN DEBIAN_FRONTEND=noninteractive apt-get update -y \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
curl jq build-essential libssl-dev libffi-dev python3 python3-venv python3-dev python3-pip \
&& apt-get install -y ca-certificates libicu-dev ruby inetutils-ping vim git gh sudo file \
&& install -m 0755 -d /etc/apt/keyrings \
&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
&& chmod a+r /etc/apt/keyrings/docker.asc \
&& echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null \
&& apt-get update \
&& apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
&& useradd -m docker -g docker \
&& echo "docker ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
# set the github runner version, cd into the user directory, download and unzip the github actions runner
RUN RUNNER_VERSION=$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/actions/runner '*.*.*' | tail --lines=1 | cut --delimiter='/' --fields=3 | sed 's/v//') \
&& cd /home/docker && mkdir actions-runner && cd actions-runner \
&& curl -O -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz \
&& tar xzf ./actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz && rm ./actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz
RUN --mount=type=bind,target=/input <<EOF1
tee -a /start.sh <<RUNNERSTARTEOF
#!/bin/bash
ORGANIZATION=\$ORGANIZATION
ACCESS_TOKEN=\$ACCESS_TOKEN
cd /home/docker/actions-runner
./config.sh --url https://github.com/\${ORGANIZATION} --token \${ACCESS_TOKEN}
cleanup() {
echo "Removing runner..."
./config.sh remove --unattended --token \${ACCESS_TOKEN}
}
trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM
./run.sh & wait \$!
RUNNERSTARTEOF
chmod +x /start.sh
EOF1
# since the config and run script for actions are not allowed to be run by root,
# set the user to "docker" so all subsequent commands are run as the docker user
USER docker
# use cmd instead of entrypoint for easier debugging...
CMD ["./start.sh"]
I build the container on a Raspberry Pi 5B running the 64-bit Raspberry Pi OS with 4k pages set via booting with the kernel8.img (which allows me to use armv7l/armv8l functionality) using:
docker build --platform linux/arm/v7 --tag runner-image-arm .
I can start the container thus:
docker run -it --privileged --init -v /var/run/docker.sock:/var/run/docker.sock \
--env ORGANIZATION=<org> \
--env ACCESS_TOKEN=<token> \
--name runner-arm \
--platform linux/arm/v7 \
runner-image-arm