Auto Update for Github Actions self-hosted runners

[kaursimr]

I have been facing SSL issues auto updating github actions self-hosted runners. We do not have a SSL cert setup at the moment. Would it be possible for you to share a link for setting up self-signed or local CA certs for overcoming this issue?

Attached are the screenshots for your reference.

[TingluoHuang]

@kaursimr it's a public endpoint on github.com
https://github.com/actions/runner/releases/download/v2.275.1/actions-runner-linux-x64-2.275.1.tar.gz

can you try to use CURL to hit that endpoint?
curl -v -L https://github.com/actions/runner/releases/download/v2.275.1/actions-runner-linux-x64-2.275.1.tar.gz

[kaursimr]

Hi Tingluo, Attached is the response of the curl command you mentioned. It’s probably looking for certs at /etc/ssl/certs/ca-certificates.crt and gives out an handshake error. azadmin@azlapsghruse202:~$ curl -v -L https://github.com/actions/runner/releases/download/v2.275.1/actions-runner-linux-x64-2.275.1.tar.gz * Trying 140.82.112.4... * Connected to github.com (140.82.112.4) port 443 (#0) * found 138 certificates in /etc/ssl/certs/ca-certificates.crt * found 552 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: github.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com * start date: Tue, 05 May 2020 00:00:00 GMT * expire date: Tue, 10 May 2022 12:00:00 GMT * issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA * compression: NULL * ALPN, server accepted to use http/1.1

GET /actions/runner/releases/download/v2.275.1/actions-runner-linux-x64-2.275.1.tar.gz HTTP/1.1 Host: github.com User-Agent: curl/7.47.0 Accept: */*

< HTTP/1.1 302 Found < server: github.com < date: Mon, 11 Jan 2021 15:12:26 GMT < content-type: text/html; charset=utf-8 < status: 302 Found < vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With < location: https://github-production-release-asset-2e65be.s3.amazonaws.com/184286875/41ae0d00-3e55-11eb-8630-314d2713defd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210111T151226Z&X-Amz-Expires=300&X-Amz-Signature=417a62903fc4a91e4749e7dd9b1f2c6ef599d46d94442415682d1996410fb443&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=184286875&response-content-disposition=attachment%3B%20filename%3Dactions-runner-linux-x64-2.275.1.tar.gz&response-content-type=application%2Foctet-stream < cache-control: no-cache < strict-transport-security: max-age=31536000; includeSubdomains; preload < x-frame-options: deny < x-content-type-options: nosniff < x-xss-protection: 1; mode=block < referrer-policy: no-referrer-when-downgrade < expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors" < content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-5029ae85.js gist.github.com/socket-worker-5029ae85.js < Set-Cookie: _gh_sess=FUr4GRsEVbNZYez7JoRtdAXSMnavnqnoLJIKNwPI6mBJ4HeoCmHZSCkoMpTLobbqOIa4yy1HxJ%2FvW%2FI9ZBDsdJ65gGJ9ptTRUhtxmz5xcYfiS5XvtxZYvvdJTG7LXf036ZQdKziWb1GbeXPZX2mI%2Bc9x4%2B1BciOo8oROGSf9EtazwyEqZnuy57%2Fbw7BqQAg9B%2BmKfyTP9QyCWcU6rhxvsBH%2BsGjKuV6pG8IYkIIwafRF0GeziNOxGwZQcZQCb0ab3q%2BK1TVQFkc7n8GuJCHVyg%3D%3D--XPwomX4E%2BrfMAekQ--CwCPBoD5xI0zv9oUvMBnDw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax < Set-Cookie: _octo=GH1.1.1606735803.1610377946; Path=/; Domain=github.com; Expires=Tue, 11 Jan 2022 15:12:26 GMT; Secure; SameSite=Lax < Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Tue, 11 Jan 2022 15:12:26 GMT; HttpOnly; Secure; SameSite=Lax < Content-Length: 665 < X-GitHub-Request-Id: 574C:5882:122DAF2:1C37FD2:5FFC6ADA < * Ignoring the response-body * Connection #0 to host github.com left intact * Issue another request to this URL: 'https://github-production-release-asset-2e65be.s3.amazonaws.com/184286875/41ae0d00-3e55-11eb-8630-314d2713defd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210111T151226Z&X-Amz-Expires=300&X-Amz-Signature=417a62903fc4a91e4749e7dd9b1f2c6ef599d46d94442415682d1996410fb443&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=184286875&response-content-disposition=attachment%3B%20filename%3Dactions-runner-linux-x64-2.275.1.tar.gz&response-content-type=application%2Foctet-stream' * Trying 52.216.243.12... * Connected to github-production-release-asset-2e65be.s3.amazonaws.com (52.216.243.12) port 443 (#1) * found 138 certificates in /etc/ssl/certs/ca-certificates.crt * found 552 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * gnutls_handshake() failed: Error in the pull function. * Closing connection 1 curl: (35) gnutls_handshake() failed: Error in the pull function. azadmin@azlapsghruse202:~$ Simran Kaur Full Stack Software Engineer | Continuous Delivery Development Platform & Software Engineering 250 Bloor Street East | Toronto, ON M4W1E6 | M. 519-965-8615 Simran_Kaur@manulife.com<mailto:Simran_Kaur@manulife.com> | kaursim@mfcgd.com<mailto:kaursim@mfcgd.com> | manulife.com<http://www.manulife.com/> From: Tingluo Huang <notifications@github.com> Reply-To: actions/runner <reply@reply.github.com> Date: Monday, January 11, 2021 at 10:08 AM To: actions/runner <runner@noreply.github.com> Cc: Simran Kaur <Simran_Kaur@manulife.com>, Mention <mention@noreply.github.com> Subject: [EXTERNAL] Re: [actions/runner] Auto Update for Github Actions self-hosted runners (#903) CAUTION This email is from an external sender, be cautious with links and attachments. @kaursimr<https://github.com/kaursimr> it's a public endpoint on github.com https://github.com/actions/runner/releases/download/v2.275.1/actions-runner-linux-x64-2.275.1.tar.gz can you try to use CURL to hit that endpoint? curl -v -L https://github.com/actions/runner/releases/download/v2.275.1/actions-runner-linux-x64-2.275.1.tar.gz — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#903 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/APAXAA3CYOYGC34OPSIYCFDSZMIADANCNFSM4V5USFGA>. STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please: (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of this message and any attachments.

[TingluoHuang]

@kaursimr feel like you have maybe a firewall or proxy that blocks SSL connection to https://github-production-release-asset-2e65be.s3.amazonaws.com

try curl -v https://github-production-release-asset-2e65be.s3.amazonaws.com to verify?

[TingluoHuang]

all GitHub release assets are stored at AWS S3 storage.

[kaursimr]

Looks like it doesn’t have connectivity to https://github-production-release-asset-2e65be.s3.amazonaws.com itself. azadmin@azlapsghruse202:~$ curl -v https://github-production-release-asset-2e65be.s3.amazonaws.com * Rebuilt URL to: https://github-production-release-asset-2e65be.s3.amazonaws.com/ * Trying 52.216.78.4... * Connected to github-production-release-asset-2e65be.s3.amazonaws.com (52.216.78.4) port 443 (#0) * found 138 certificates in /etc/ssl/certs/ca-certificates.crt * found 552 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * gnutls_handshake() failed: Error in the pull function. * Closing connection 0 curl: (35) gnutls_handshake() failed: Error in the pull function. Simran Kaur Full Stack Software Engineer | Continuous Delivery Development Platform & Software Engineering 250 Bloor Street East | Toronto, ON M4W1E6 | M. 519-965-8615 Simran_Kaur@manulife.com<mailto:Simran_Kaur@manulife.com> | kaursim@mfcgd.com<mailto:kaursim@mfcgd.com> | manulife.com<http://www.manulife.com/> From: Tingluo Huang <notifications@github.com> Reply-To: actions/runner <reply@reply.github.com> Date: Monday, January 11, 2021 at 10:23 AM To: actions/runner <runner@noreply.github.com> Cc: Simran Kaur <Simran_Kaur@manulife.com>, Mention <mention@noreply.github.com> Subject: [EXTERNAL] Re: [actions/runner] Auto Update for Github Actions self-hosted runners (#903) CAUTION This email is from an external sender, be cautious with links and attachments. @kaursimr<https://github.com/kaursimr> feel like you have maybe a firewall or proxy that blocks SSL connection to https://github-production-release-asset-2e65be.s3.amazonaws.com try curl -v https://github-production-release-asset-2e65be.s3.amazonaws.com to verify? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#903 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/APAXAAZCJDZXWIWVVDVQHWLSZMJYPANCNFSM4V5USFGA>. STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please: (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of this message and any attachments.

[TingluoHuang]

@kaursimr do you mind trying to ask your network administrator to whitelist the HOST from the firewall?

[kaursimr]

Did you mean whitelisting this host -> https://github-production-release-asset-2e65be.s3.amazonaws.com ? Simran Kaur Full Stack Software Engineer | Continuous Delivery Development Platform & Software Engineering 250 Bloor Street East | Toronto, ON M4W1E6 | M. 519-965-8615 Simran_Kaur@manulife.com<mailto:Simran_Kaur@manulife.com> | kaursim@mfcgd.com<mailto:kaursim@mfcgd.com> | manulife.com<http://www.manulife.com/> From: Tingluo Huang <notifications@github.com> Reply-To: actions/runner <reply@reply.github.com> Date: Monday, January 11, 2021 at 10:36 AM To: actions/runner <runner@noreply.github.com> Cc: Simran Kaur <Simran_Kaur@manulife.com>, Mention <mention@noreply.github.com> Subject: [EXTERNAL] Re: [actions/runner] Auto Update for Github Actions self-hosted runners (#903) CAUTION This email is from an external sender, be cautious with links and attachments. @kaursimr<https://github.com/kaursimr> do you mind trying to ask your network administrator to whitelist the HOST from the firewall? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#903 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/APAXAA2A4SGUDWB5ISFNUJDSZMLHPANCNFSM4V5USFGA>. STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please: (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of this message and any attachments.

[TingluoHuang]

@kaursimr I would suggest *.s3.amazonaws.com

[kaursimr]

Sure thanks Tingluo! I have reached out to our network administrator. And they will be whitelisting the below mentioned host on Wednesday this week. *.s3.amazonaws.com Once the FW rule is applied. I’ll run the connectivity tests again and get back to you. Simran Kaur Full Stack Software Engineer | Continuous Delivery Development Platform & Software Engineering 250 Bloor Street East | Toronto, ON M4W1E6 | M. 519-965-8615 Simran_Kaur@manulife.com<mailto:Simran_Kaur@manulife.com> | kaursim@mfcgd.com<mailto:kaursim@mfcgd.com> | manulife.com<http://www.manulife.com/> From: Tingluo Huang <notifications@github.com> Reply-To: actions/runner <reply@reply.github.com> Date: Monday, January 11, 2021 at 10:51 AM To: actions/runner <runner@noreply.github.com> Cc: Simran Kaur <Simran_Kaur@manulife.com>, Mention <mention@noreply.github.com> Subject: [EXTERNAL] Re: [actions/runner] Auto Update for Github Actions self-hosted runners (#903) CAUTION This email is from an external sender, be cautious with links and attachments. @kaursimr<https://github.com/kaursimr> I would suggest *.s3.amazonaws.com — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#903 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/APAXAAYRYGSWCTDS6DXRNDDSZMM6BANCNFSM4V5USFGA>. STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please: (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of this message and any attachments.

[kaursimr]

Hey Tingluo,

Apologizes for not getting back to you soon on this. But I got the network team to add a FW rule my azure servers. After the rule was applied i am now able to run curl commands to download the github action runner package. I have not been able to test the auto-updates yet as all my servers are running the latest version of Github self hosted runners. Is there any other way to initiate an auto-update or any setting that would confirm that i'll not face a similar issue in future?

Thanks for your help!
Best Regards
Simran Kaur

[TingluoHuang]

@kaursimr you can try to download an older version of the runner from https://github.com/actions/runner/releases and force the auto-update by queue a job to the older version runner. (add a label to the older version runner and run a workflow using that label.)