Error: unable to get local issuer certificate

[jwang242]

Setup-nuget action failed on self-hosted MacOS runner.
Error: unable to get local issuer certificate

I have exported our company certificate from keychain and added the NODE_EXTRA_CA_CERTS environment variable (value is the path of the certificate file) to the runner .env file. Restarted the runner but got the same error.

I also modified the "setup nuget" step in the workflow file with the environment variable but it made no difference.
name: Setup NuGet.exe
uses: NuGet/setup-nuget@v1.0.7
env:
NODE_EXTRA_CA_CERTS: TheCertificatePath

Please help.

[jeffkl]

The setup-nuget action simply downloads NuGet.exe from https://dist.nuget.org. It sounds like the certificate chain is broken and the machine is unable to verify the certificate of the remote URL.

[jwang242]

The browser on the machine can access https://dist.nuget.org without issue. So the certificate is fine. The runner machine is behind a corporate proxy. The issue seems to be related with Node's inability to use the certificate from macOS Keychain, nodejs/node#39657. Any thoughts? I tried the NODE_EXTRA_CA_CERTS variable workaround but had no success.

[dtivel]

Here's a shot in the dark. Can you try adding this intermediate certificate into Node's extra certs bundle?

# Subject:   CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US
# Issuer:    CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
# Validity:  2020-07-29 12:30:00.000Z - 2024-06-27 23:59:59.000Z
# SHA-256:   24c7299864e0a2a6964f551c0e8df2461532fa8c48e4dbbb6080716691f190e5
# SHA-1:     2f2877c5d778c31e0f29c7e371df5471bd673173
# Purposes:  Server Authentication, Client Authentication
-----BEGIN CERTIFICATE-----
MIIF8zCCBNugAwIBAgIQCq+mxcpjxFFB6jvh98dTFzANBgkqhkiG9w0BAQwFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0yMDA3MjkxMjMwMDBaFw0yNDA2MjcyMzU5NTlaMFkxCzAJBgNVBAYTAlVT
MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKjAoBgNVBAMTIU1pY3Jv
c29mdCBBenVyZSBUTFMgSXNzdWluZyBDQSAwMTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAMedcDrkXufP7pxVm1FHLDNA9IjwHaMoaY8arqqZ4Gff4xyr
RygnavXL7g12MPAx8Q6Dd9hfBzrfWxkF0Br2wIvlvkzW01naNVSkHp+OS3hL3W6n
l/jYvZnVeJXjtsKYcXIf/6WtspcF5awlQ9LZJcjwaH7KoZuK+THpXCMtzD8XNVdm
GW/JI0C/7U/E7evXn9XDio8SYkGSM63aLO5BtLCv092+1d4GGBSQYolRq+7Pd1kR
EkWBPm0ywZ2Vb8GIS5DLrjelEkBnKCyy3B0yQud9dpVsiUeE7F5sY8Me96WVxQcb
OyYdEY/j/9UpDlOG+vA+YgOvBhkKEjiqygVpP8EZoMMijephzg43b5Qi9r5UrvYo
o19oR/8pf4HJNDPF0/FJwFVMW8PmCBLGstin3NE1+NeWTkGt0TzpHjgKyfaDP2tO
4bCk1G7pP2kDFT7SYfc8xbgCkFQ2UCEXsaH/f5YmpLn4YPiNFCeeIida7xnfTvc4
7IxyVccHHq1FzGygOqemrxEETKh8hvDR6eBdrBwmCHVgZrnAqnn93JtGyPLi6+cj
WGVGtMZHwzVvX1HvSFG771sskcEjJxiQNQDQRWHEh3NxvNb7kFlAXnVdRkkvhjpR
GchFhTAzqmwltdWhWDEyCMKC2x/mSZvZtlZGY+g37Y72qHzidwtyW7rBetZJAgMB
AAGjggGtMIIBqTAdBgNVHQ4EFgQUDyBd16FXlduSzyvQx8J3BM5ygHYwHwYDVR0j
BBgwFoAUTiJUIBiV5uNu5g/6+rkS7QYXjzkwDgYDVR0PAQH/BAQDAgGGMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMHYG
CCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
Y29tMEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
aUNlcnRHbG9iYWxSb290RzIuY3J0MHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6Ly9j
cmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMi5jcmwwN6A1oDOG
MWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMi5j
cmwwHQYDVR0gBBYwFDAIBgZngQwBAgEwCAYGZ4EMAQICMBAGCSsGAQQBgjcVAQQD
AgEAMA0GCSqGSIb3DQEBDAUAA4IBAQAlFvNh7QgXVLAZSsNR2XRmIn9iS8OHFCBA
WxKJoi8YYQafpMTkMqeuzoL3HWb1pYEipsDkhiMnrpfeYZEA7Lz7yqEEtfgHcEBs
K9KcStQGGZRfmWU07hPXHnFz+5gTXqzCE2PBMlRgVUYJiA25mJPXfB00gDvGhtYa
+mENwM9Bq1B9YYLyLjRtUz8cyGsdyTIG/bBM/Q9jcV8JGqMU/UjAdh1pFyTnnHEl
Y59Npi7F87ZqYYJEHJM2LGD+le8VsHjgeWX2CJQko7klXvcizuZvUEDTjHaQcs2J
+kPgfyMIOY1DMJ21NxOJ2xPRC/wAh/hzSBRVtoAnyuxtkZ4VjIOh
-----END CERTIFICATE-----

[jwang242]

Thanks for your replies. After I exported the certificate to PEM format (instead of the CER format which was the default when done previously), the 'Setup Nuget.exe' action succeeded with the NODE_EXTRA_CA_CERTS workaround.

[dtivel]

Glad it worked. Here's what I think the problem/solution was.

To build a certificate chain, you start from the end certificate and build to a root certificate. Usually, for publicly trusted certificates, there is one or more intermediate certificates in the middle. You already have the end certificate and, hopefully, the root certificate is already installed locally as a trusted root. Getting all intermediate certificates is a remaining task.

Many certificate chain building engines take advantage of an Authority Information Access (AIA) attribute in the certificate that provides a download URL for the issuing CA's certificate. Following the AIA attributes or "AIA chasing" is how you make intermediate certificates available locally for chain building.

Node.js doesn't do AIA chasing.

So, you have to manually download intermediate certificates and put them in a file for Node.js to use. I grabbed the intermediate certificate for the SSL certificate for https://dist.nuget.org/ and posted it in PEM format.

This should be documented.

[dtivel]

@jwang242, just to be super clear, which certificate did you export and specify using the NODE_EXTRA_CA_CERTS workaround? Was it your corporate proxy's intermediate CA's certificate or was it the intermediate certificate I posted above (for https://dist.nuget.org)?

[jwang242]

It's the corporate's Cisco Umbrella Root certificate which has already been installed locally.

[MartinBarkerPhilips]

It's the corporate's Cisco Umbrella Root certificate which has already been installed locally.

Where do you find this certificate ? I am facing the same error message as in your original post. My runner is on a coporate desktop machine, i have cisco anyconnect secure mobility client installed but am not sure how to fix this error message