Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0 on Ubuntu 24.x, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." #3505

Open
satmandu opened this issue Oct 11, 2024 · 3 comments
Open

Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0 on Ubuntu 24.x, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." #3505

satmandu opened this issue Oct 11, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@satmandu
Copy link

satmandu commented Oct 11, 2024
edited
Loading

The runner fails to authenticate with Github when using the arm runner in an Ubuntu 24.x based container. Logs indicate a "The remote certificate is invalid because of errors in the certificate chain: NotTimeValid" error. This appears to be due to arm32 Y2038 compatibiity issues with the underlying ubuntu/debian operating systems moving to 64 bit time.

Fixes are in .Net 9.0, but will not be backported to .Net 8.0 as per dotnet/core#9285

See:
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

Working patch (Just adjusting to use .Net 9.0):
satmandu#1

I requested a backport at dotnet/runtime#109161 but it's clear that this isn't going to happen and that for newer linux distribution based usage on arm32 .Net 9.0 will be needed.

This is what I see:

docker@7f94f0525ad7:/$ /start.sh                                                                                                              
                                                                                                                                              
--------------------------------------------------------------------------------                                                              
|        ____ _ _   _   _       _          _        _   _                      |                                                              
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |                                                              
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |                                                              
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |                                                              
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |                                                              
|                                                                              |                                                              
|                       Self-hosted runner registration                        |                                                              
|                                                                              |                                                              
--------------------------------------------------------------------------------                                                              

# Authentication

The SSL connection could not be established, see inner exception.
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...

docker@7f94f0525ad7:/$ cat start.sh                                                                                                           
#!/bin/bash

ORGANIZATION=$ORGANIZATION
ACCESS_TOKEN=$ACCESS_TOKEN

cd /home/docker/actions-runner

export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

./config.sh --url https://github.com/${ORGANIZATION} --token ${ACCESS_TOKEN}

cleanup() {
    echo "Removing runner..."
    ./config.sh remove --unattended --token ${ACCESS_TOKEN}
}

trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM

./run.sh & wait $!

Digging in I see this error when running ./config.sh --check --url https://github.com/${ORGANIZATION} --pat ${ACCESS_TOKEN} (with DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 set):

docker@7f94f0525ad7:~/actions-runner$ ./config.sh --check --url https://github.com/${ORGANIZATION} --pat ${ACCESS_TOKEN}
**********************************************************************************************************************
**  Check:               Internet Connection                                                                                                  
**  Description:         Check if the Actions runner has internet access.                                             
**********************************************************************************************************************
**                                                                                                                  **
**                                            F A I L                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/InternetCheck_20241011-161958-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/internet.md               
**********************************************************************************************************************
                                                                                                                                              
                                                                                                                                              
**********************************************************************************************************************
**  Check:               GitHub Actions Connection                                                                                            
**  Description:         Check if the Actions runner has access to the GitHub Actions service.
**********************************************************************************************************************
**                                                                                                                  **
**                                            F A I L                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/ActionsCheck_20241011-161958-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/actions.md
**********************************************************************************************************************


**********************************************************************************************************************
**  Check:               Git Certificate/Proxy Validation
**  Description:         Check if the Git CLI can access GitHub.com or GitHub Enterprise Server.
**********************************************************************************************************************
**                                                                                                                  **
**                                            P A S S                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/docker/actions-runner/_diag/GitCheck_20241011-161958-utc.log
**********************************************************************************************************************

Looking at one of these InternetCheck logs in more detail:
w/o DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 set:

2024-10-11T16:28:15.9689744Z ***************************************************************************************************************
2024-10-11T16:28:15.9832297Z ***************************************************************************************************************
2024-10-11T16:28:15.9832694Z ****                                                                                                       ****
2024-10-11T16:28:15.9832709Z ****     Try DNS lookup for api.github.com 
2024-10-11T16:28:15.9834863Z ****                                                                                                       ****
2024-10-11T16:28:15.9834879Z ***************************************************************************************************************
2024-10-11T16:28:15.9899717Z Resolved DNS for api.github.com to '140.82.114.6'
2024-10-11T16:28:15.9886904Z ***************************************************************************************************************
2024-10-11T16:28:15.9886976Z ****                                                                                                       ****
2024-10-11T16:28:15.9886990Z ****     Try ping api.github.com 
2024-10-11T16:28:15.9887121Z ****                                                                                                       ****
2024-10-11T16:28:15.9887133Z ***************************************************************************************************************
2024-10-11T16:28:16.0345088Z Ping api.github.com (140.82.114.6) succeed within to '10 ms'
2024-10-11T16:28:15.9968608Z ***************************************************************************************************************
2024-10-11T16:28:15.9968695Z ****                                                                                                       ****
2024-10-11T16:28:15.9968710Z ****     Send HTTPS Request (GET) to https://api.github.com 
2024-10-11T16:28:15.9968724Z ****                                                                                                       ****
2024-10-11T16:28:15.9968735Z ***************************************************************************************************************
2024-10-11T16:28:16.0354893Z [START System.Net.Http - RequestStart]
2024-10-11T16:28:16.0365428Z https
2024-10-11T16:28:16.0365778Z api.github.com
2024-10-11T16:28:16.0365928Z 443
2024-10-11T16:28:16.0365961Z /
2024-10-11T16:28:16.0366030Z 1
2024-10-11T16:28:16.0366049Z 1
2024-10-11T16:28:16.0366071Z 0
2024-10-11T16:28:16.0366194Z [END System.Net.Http - RequestStart]
2024-10-11T16:28:16.0464598Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0464944Z 63062333
2024-10-11T16:28:16.0464982Z 0
2024-10-11T16:28:16.0465014Z 0
2024-10-11T16:28:16.0465031Z .ctor
2024-10-11T16:28:16.0465047Z HttpConnectionPool https://api.github.com:443
2024-10-11T16:28:16.0465107Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0510496Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0510674Z 63062333
2024-10-11T16:28:16.0510712Z 0
2024-10-11T16:28:16.0510731Z 0
2024-10-11T16:28:16.0510749Z CheckForHttp11ConnectionInjection
2024-10-11T16:28:16.0510767Z Available HTTP/1.1 connections: 0, Requests in the queue: 1, Pending HTTP/1.1 connections: 0, Total associated HTTP/1.1 connections: 0, Max HTTP/1.1 connection limit: 2147483647.
2024-10-11T16:28:16.0510782Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0513230Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0513319Z 63062333
2024-10-11T16:28:16.0513354Z 0
2024-10-11T16:28:16.0513375Z 0
2024-10-11T16:28:16.0513392Z GetHttp11ConnectionAsync
2024-10-11T16:28:16.0513439Z No available HTTP/1.1 connections; request queued.
2024-10-11T16:28:16.0513457Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0516660Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0516837Z 63062333
2024-10-11T16:28:16.0516870Z 0
2024-10-11T16:28:16.0516889Z 0
2024-10-11T16:28:16.0516908Z AddHttp11ConnectionAsync
2024-10-11T16:28:16.0516928Z Creating new HTTP/1.1 connection for pool.
2024-10-11T16:28:16.0516943Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.0782091Z [START System.Net.Security - HandshakeStart]
2024-10-11T16:28:16.0782251Z False
2024-10-11T16:28:16.0782282Z api.github.com
2024-10-11T16:28:16.0782301Z [END System.Net.Security - HandshakeStart]
2024-10-11T16:28:16.0997788Z [START Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.0997995Z SslStream#41622463
2024-10-11T16:28:16.0998040Z Tls:ClientHello[288] TargetName='api.github.com' SupportedVersion='Tls, Tls12, Tls13' ApplicationProtocols='None'
2024-10-11T16:28:16.0998075Z 1
2024-10-11T16:28:16.0998091Z [END Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1108168Z [START Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1108338Z SslStream#41622463
2024-10-11T16:28:16.1108368Z Tls12:ChangeCipherSpec[1]
2024-10-11T16:28:16.1108399Z 0
2024-10-11T16:28:16.1108419Z [END Private.InternalDiagnostics.System.Net.Security - SentFrame]
2024-10-11T16:28:16.1321056Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificate]
2024-10-11T16:28:16.1321470Z [Version]
2024-10-11T16:28:16.1321495Z   V3
2024-10-11T16:28:16.1321509Z 
2024-10-11T16:28:16.1321522Z [Subject]
2024-10-11T16:28:16.1321533Z   CN=*.github.com
2024-10-11T16:28:16.1321543Z   Simple Name: *.github.com
2024-10-11T16:28:16.1321552Z   DNS Name: *.github.com
2024-10-11T16:28:16.1321658Z 
2024-10-11T16:28:16.1321670Z [Issuer]
2024-10-11T16:28:16.1321680Z   CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
2024-10-11T16:28:16.1321691Z   Simple Name: Sectigo ECC Domain Validation Secure Server CA
2024-10-11T16:28:16.1321717Z   DNS Name: Sectigo ECC Domain Validation Secure Server CA
2024-10-11T16:28:16.1321728Z 
2024-10-11T16:28:16.1321738Z [Serial Number]
2024-10-11T16:28:16.1321748Z   008BDC0FFF54772FAAD173273F23362AAF
2024-10-11T16:28:16.1321758Z 
2024-10-11T16:28:16.1321767Z [Not Before]
2024-10-11T16:28:16.1321776Z   03/07/2024 00:00:00
2024-10-11T16:28:16.1321785Z 
2024-10-11T16:28:16.1321794Z [Not After]
2024-10-11T16:28:16.1321805Z   03/07/2025 23:59:59
2024-10-11T16:28:16.1321841Z 
2024-10-11T16:28:16.1321913Z [Thumbprint]
2024-10-11T16:28:16.1321923Z   0DF6EC50FAEDAE6E13AF829452F7111B0ACF7C20
2024-10-11T16:28:16.1321933Z 
2024-10-11T16:28:16.1321942Z [Signature Algorithm]
2024-10-11T16:28:16.1321951Z   sha256ECDSA(1.2.840.10045.4.3.2)
2024-10-11T16:28:16.1321961Z 
2024-10-11T16:28:16.1321970Z [Public Key]
2024-10-11T16:28:16.1321979Z   Algorithm: ECC
2024-10-11T16:28:16.1321988Z   Length: 
2024-10-11T16:28:16.1321997Z   Key Blob: 0470031849449B010A4133A3093799110F9815A71BCA420A43E234388D8D42A8D39E58FEDF3A49FE3F176226AEFA42FE5B3E6BF7B53C43EA9961A0D0D80E886F32
2024-10-11T16:28:16.1322007Z   Parameters: 06082A8648CE3D030107
2024-10-11T16:28:16.1322016Z 
2024-10-11T16:28:16.1322025Z [Extensions]
2024-10-11T16:28:16.1322034Z * X509v3 Authority Key Identifier(2.5.29.35):
2024-10-11T16:28:16.1322043Z   F6:85:0A:3B:11:86:E1:04:7D:0E:AA:0B:2C:D2:EE:CC:64:7B:7B:AE
2024-10-11T16:28:16.1322053Z * X509v3 Subject Key Identifier(2.5.29.14):
2024-10-11T16:28:16.1322272Z   2C:D5:9F:32:48:98:6A:F9:B9:5B:BD:65:51:E9:E9:75:D7:20:B1:96
2024-10-11T16:28:16.1322326Z * X509v3 Key Usage(2.5.29.15):
2024-10-11T16:28:16.1322337Z   Digital Signature
2024-10-11T16:28:16.1322347Z * X509v3 Basic Constraints(2.5.29.19):
2024-10-11T16:28:16.1322356Z   CA:FALSE
2024-10-11T16:28:16.1322366Z * X509v3 Extended Key Usage(2.5.29.37):
2024-10-11T16:28:16.1322375Z   TLS Web Server Authentication, TLS Web Client Authentication
2024-10-11T16:28:16.1322385Z * X509v3 Certificate Policies(2.5.29.32):
2024-10-11T16:28:16.1322395Z   Policy: 1.3.6.1.4.1.6449.1.2.2.7
2024-10-11T16:28:16.1322404Z 
2024-10-11T16:28:16.1322413Z * Authority Information Access(1.3.6.1.5.5.7.1.1):
2024-10-11T16:28:16.1322423Z   CA Issuers - URI:http://crt.sectigo.com/SectigoECCDomainValidationSecureServerCA.crt
2024-10-11T16:28:16.1322433Z 
2024-10-11T16:28:16.1322442Z * CT Precertificate SCTs(1.3.6.1.4.1.11129.2.4.2):
2024-10-11T16:28:16.1322451Z   Signed Certificate Timestamp:
2024-10-11T16:28:16.1322460Z 
2024-10-11T16:28:16.1322469Z * X509v3 Subject Alternative Name(2.5.29.17):
2024-10-11T16:28:16.1322479Z   DNS:*.github.com, DNS:github.com
2024-10-11T16:28:16.1322488Z 
2024-10-11T16:28:16.1322550Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificate]
2024-10-11T16:28:16.2478618Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2478803Z 31364015
2024-10-11T16:28:16.2478836Z Remote certificate has errors:
2024-10-11T16:28:16.2478854Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2479095Z [START Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2479139Z 31364015
2024-10-11T16:28:16.2479174Z ChainStatus: 	certificate has expired
2024-10-11T16:28:16.2479188Z [END Private.InternalDiagnostics.System.Net.Security - RemoteCertificateError]
2024-10-11T16:28:16.2495744Z [START System.Net.Security - HandshakeFailed]
2024-10-11T16:28:16.2495915Z False
2024-10-11T16:28:16.2497157Z 171.2801
2024-10-11T16:28:16.2497182Z The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2497199Z [END System.Net.Security - HandshakeFailed]
2024-10-11T16:28:16.2497377Z [START System.Net.Security - HandshakeStop]
2024-10-11T16:28:16.2497416Z 0
2024-10-11T16:28:16.2497434Z [END System.Net.Security - HandshakeStop]
2024-10-11T16:28:16.2646056Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2646217Z 63062333
2024-10-11T16:28:16.2646257Z 0
2024-10-11T16:28:16.2646277Z 0
2024-10-11T16:28:16.2646299Z HandleHttp11ConnectionFailure
2024-10-11T16:28:16.2646362Z HTTP/1.1 connection failed: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2646375Z  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2646397Z    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
2024-10-11T16:28:16.2646408Z    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
2024-10-11T16:28:16.2646438Z    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
2024-10-11T16:28:16.2646449Z    at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646459Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646473Z    --- End of inner exception stack trace ---
2024-10-11T16:28:16.2646483Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646493Z    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646503Z    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2646514Z    at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
2024-10-11T16:28:16.2646534Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2665125Z [START System.Net.Http - RequestLeftQueue]
2024-10-11T16:28:16.2665448Z 215.0822
2024-10-11T16:28:16.2665501Z 1
2024-10-11T16:28:16.2665522Z 1
2024-10-11T16:28:16.2665539Z [END System.Net.Http - RequestLeftQueue]
2024-10-11T16:28:16.2685936Z [START System.Net.Http - RequestFailed]
2024-10-11T16:28:16.2686083Z The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2686115Z [END System.Net.Http - RequestFailed]
2024-10-11T16:28:16.2706906Z [START Private.InternalDiagnostics.System.Net.Http - ErrorMessage]
2024-10-11T16:28:16.2707005Z HttpClient#66166301
2024-10-11T16:28:16.2707029Z HandleFailure
2024-10-11T16:28:16.2707100Z System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
2024-10-11T16:28:16.2707112Z  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
2024-10-11T16:28:16.2707251Z    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
2024-10-11T16:28:16.2707264Z    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
2024-10-11T16:28:16.2707282Z    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
2024-10-11T16:28:16.2707292Z    at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707303Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707338Z    --- End of inner exception stack trace ---
2024-10-11T16:28:16.2707385Z    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707396Z    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707407Z    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707417Z    at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
2024-10-11T16:28:16.2707427Z    at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
2024-10-11T16:28:16.2707444Z    at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707491Z    at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707503Z    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2024-10-11T16:28:16.2707514Z    at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
2024-10-11T16:28:16.2707535Z [END Private.InternalDiagnostics.System.Net.Http - ErrorMessage]
2024-10-11T16:28:16.2708732Z [START System.Net.Http - RequestStop]
2024-10-11T16:28:16.2708829Z -1
2024-10-11T16:28:16.2708847Z [END System.Net.Http - RequestStop]
2024-10-11T16:28:16.2732063Z [START Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2732173Z 63062333
2024-10-11T16:28:16.2732203Z 0
2024-10-11T16:28:16.2732230Z 0
2024-10-11T16:28:16.2732256Z Dispose
2024-10-11T16:28:16.2732274Z Disposing pool.
2024-10-11T16:28:16.2732287Z [END Private.InternalDiagnostics.System.Net.Http - HandlerMessage]
2024-10-11T16:28:16.2736490Z ***************************************************************************************************************
2024-10-11T16:28:16.2736514Z ****                                                                                                       ****
2024-10-11T16:28:16.2736531Z ****     Https request 'GET' to https://api.github.com failed with error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at GitHub.Runner.Listener.Check.CheckUtil.CheckHttpsGetRequests(IHostContext hostContext, String url, String pat, String expectedHeader)
2024-10-11T16:28:16.2747472Z ****                                                                                                       ****
2024-10-11T16:28:16.2747494Z ***************************************************************************************************************

To Reproduce
See Docker image setup info below.

Runner Version and Platform

v2.320 (though v2.319 didn't work either.)

OS of the machine running the runner? Linux (Raspberry PI OS arm64 with an armv7l/armhf docker container cotnaining the runner.)

Job Log Output

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication

The SSL connection could not be established, see inner exception.
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...

Runner and Worker's Diagnostic Logs

Looking at the _diag Runner logs, I see the same thing:

[2024-10-11 13:47:36Z ERR  ConfigurationManager] Failed to get tenant credentials -- Attempt: 1
[2024-10-11 13:47:36Z ERR  ConfigurationManager] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at GitHub.Runner.Listener.Configuration.ConfigurationManager.GetTenantCredential(String githubUrl, String githubToken, String runnerEvent)
[2024-10-11 13:47:36Z ERR  ConfigurationManager] #####################################################
[2024-10-11 13:47:36Z ERR  ConfigurationManager] System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

This is the Dockerfile I am using:


# install python and the packages the your code depends on along with jq so we can parse JSON
# add additional packages as necessary
RUN DEBIAN_FRONTEND=noninteractive apt-get update -y \
    && apt-get upgrade -y \
    && apt-get install -y --no-install-recommends \
      curl jq build-essential libssl-dev libffi-dev python3 python3-venv python3-dev python3-pip \
    && apt-get install -y ca-certificates libicu-dev ruby inetutils-ping vim git gh sudo file \
    && install -m 0755 -d /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
    && chmod a+r /etc/apt/keyrings/docker.asc \
    && echo \
     "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
   $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
     tee /etc/apt/sources.list.d/docker.list > /dev/null \
   && apt-get update \
   && apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
   && useradd -m docker -g docker \
   && echo "docker ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers



# set the github runner version, cd into the user directory, download and unzip the github actions runner
RUN RUNNER_VERSION=$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/actions/runner '*.*.*' | tail --lines=1 | cut --delimiter='/' --fields=3 | sed 's/v//') \
  && cd /home/docker && mkdir actions-runner && cd actions-runner \
  && curl -O -L https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz \
  && tar xzf ./actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz && rm ./actions-runner-linux-arm-${RUNNER_VERSION}.tar.gz

RUN --mount=type=bind,target=/input <<EOF1
tee -a /start.sh <<RUNNERSTARTEOF
#!/bin/bash

ORGANIZATION=\$ORGANIZATION
ACCESS_TOKEN=\$ACCESS_TOKEN

cd /home/docker/actions-runner

./config.sh --url https://github.com/\${ORGANIZATION} --token \${ACCESS_TOKEN}

cleanup() {
    echo "Removing runner..."
    ./config.sh remove --unattended --token \${ACCESS_TOKEN}
}

trap 'cleanup; exit 130' INT
trap 'cleanup; exit 143' TERM

./run.sh & wait \$!
RUNNERSTARTEOF
chmod +x /start.sh
EOF1

# since the config and run script for actions are not allowed to be run by root,
# set the user to "docker" so all subsequent commands are run as the docker user
USER docker

# use cmd instead of entrypoint for easier debugging...
CMD ["./start.sh"]

I build the container on a Raspberry Pi 5B running the 64-bit Raspberry Pi OS with 4k pages set via booting with the kernel8.img (which allows me to use armv7l/armv8l functionality) using:

docker build --platform linux/arm/v7 --tag runner-image-arm .

I can start the container thus:

docker run -it   --privileged   --init   -v /var/run/docker.sock:/var/run/docker.sock  \
   --env ORGANIZATION=<org>  \
   --env ACCESS_TOKEN=<token>  \
   --name runner-arm  \
   --platform linux/arm/v7  \
   runner-image-arm
@satmandu satmandu added the bug Something isn't working label Oct 11, 2024
@satmandu satmandu changed the title Runner fails to pass check on arm (armv7l/armhf) Runner fails on arm (armv7l/armhf) with "The SSL connection could not be established, see inner exception." Oct 11, 2024
@satmandu satmandu mentioned this issue Oct 11, 2024
Merged
@satmandu
Copy link
Author

This may be connected to dotnet/runtime#101444

Which was apparently fixed in dotnet/runtime#102410

But just doing a dotnet 8 build of the current runner from master still has the same issue....

satmandu added a commit to satmandu/runner that referenced this issue Oct 23, 2024
@satmandu
Test update to .Net 9.0 to fix ARM32 Year 2038 breakage.
446a3df 
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <[email protected]>
@satmandu satmandu mentioned this issue Oct 23, 2024
Merged
satmandu added a commit to satmandu/runner that referenced this issue Oct 23, 2024
@satmandu
Update to .Net 9.0 to fix ARM32 Y2038 breakage.
67d882c 
This updates .Net to 9.0.100-rc.2.24474.11 .
See actions#3505
dotnet/runtime#101444
dotnet/runtime#96460
dotnet/runtime#102410

(Looks like this has not been backported to .Net 8.x...)

Signed-off-by: Satadru Pramanik <[email protected]>
@satmandu satmandu mentioned this issue Oct 23, 2024
Closed
@satmandu
Copy link
Author

So it appears that this is broken with both .Net 6.0 and .Net 8.0, but fixed with .Net 9.0.

I patched from top of tree to use .Net 9.0 RC2, and I am no longer having authentication failures:
satmandu#1

I have opened an issue to request that the likely responsible Y2038 fixes be backported from .Net 9.0 to 8.x:

dotnet/runtime#109161

@satmandu satmandu changed the title Runner fails on arm (armv7l/armhf) with "The SSL connection could not be established, see inner exception." Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." Oct 23, 2024
@satmandu
Copy link
Author

After patching to use .Net 9.0 this is what I get:

RUNNER_ARCH is arm

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication


√ Connected to GitHub

# Runner Registration




√ Runner successfully added
√ Runner connection is good

# Runner settings


√ Settings Saved.


√ Connected to GitHub

Current runner version: '2.320.1'
2024-10-23 17:31:40Z: Listening for Jobs

@satmandu satmandu changed the title Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." Arm Runner authentication broken w/ .Net 6.0 & .Net 8.0 on Ubuntu 24.x, fixed with .Net 9.0. "The SSL connection could not be established, see inner exception." Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@satmandu