Self-signed certificate error on Windows (GHES)

[adosztal]

Why are you starting this discussion?

Question

What GitHub Actions topic or product is this about?

Workflow Configuration

Discussion Details

Hello,

We have a GHES instance that uses an SSL certificate signed by my employer's CA certificate. Today I've set up a runner (v2.319.1, GHES default version) for testing purposes on my laptop, and started it as my user from a PowerShell terminal (i.e. it's not a service).

When my workflow tries to checkout a repo (actions/checkout@v4) I get the following message: Error: self-signed certificate in certificate chain. I can access the GHES instance without any certificate warnings from my browser, and I see our root and signing CA certs from the same terminal:

PS C:\Users\adosztal> Get-ChildItem Cert:\CurrentUser\Root\xxx

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root

Thumbprint                                Subject
----------                                -------
xxx  CN=Company Global Root CA, O=Company, L=City, C=Country


PS C:\Users\adoosztal> Get-ChildItem Cert:\CurrentUser\CA\yyy

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\CA

Thumbprint                                Subject
----------                                -------
yyy  CN=Company Signing CA, O=Company, L=City, C=Country

Btw the same certificates are there in the Local Machine's store too.

The runner can initially connect to GitHub when I start it with run.cmd:

PS C:\actions-runner> .\run.cmd
        1 file(s) copied.

√ Connected to GitHub

Current runner version: '2.319.1'
2025-06-19 11:14:38Z: Listening for Jobs

I tried the same from an Administrator PS window too, I got the same error.

How can I make the workflow use the proper certificates? Is there a way to point to the Windows certificate store with env.NODE_EXTRA_CA_CERTS?

[shakibbinkabir]

It sounds like your runner isn't trusting your company's CA certificates, even though they're in your Windows certificate store. The self-signed certificate in certificate chain error typically means Node.js (which powers the runner and actions) doesn't know about your internal CAs.

NODE_EXTRA_CA_CERTS is a good lead! However, it expects a path to a file containing PEM-encoded certificates, not a direct link to the Windows store.

Here's how you can likely fix it:

1. Export your CA certificates: Export your "Company Global Root CA" and "Company Signing CA" from the Windows certificate store into a single file in PEM format (Base64 encoded X.509). You can do this using the Certificate Manager (certmgr.msc).

2. Set NODE_EXTRA_CA_CERTS: Before running run.cmd, set the NODE_EXTRA_CA_CERTS environment variable to the path of the PEM file you created.

   $env:NODE_EXTRA_CA_CERTS="C:\path\to\your\ca_certs.pem"
   .\run.cmd

This should instruct Node.js to trust your custom CA certificates, resolving the self-signed certificate error.

[adosztal]

Thank you, @shakibbinkabir! My workflow is running fine now.