0

We are using the AZ CLI GitHub Action azure/CLI (https://github.com/marketplace/actions/azure-cli-action)

The script that this workflow calls makes an HTTP request to an external API. This cURL call fails with the following:

curl: (60) SSL certificate problem: certificate has expired
More details here: curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

However I can confirm that the same request works locally.

The problem workflow step looks like this:

- name: Run script
  uses: azure/CLI@1.0.4
  with:
    azcliversion: 2.0.72
    inlineScript: |
      $GITHUB_WORKSPACE/github/scripts/script.sh

Why does cURL think that the SSL cert for the external API domain is expired, when I can make the same call to the same API domain successfully on my own machine?

sdgluck
  • 24,894
  • 8
  • 75
  • 90

1 Answers1

0

It seems the problem was that the azcliversion points to a version of the AZ CLI that has outdated certificates.

The problem was solved by removing the azcliversion field altogether, as the default version is latest, as specified in the docs for the action:

azcliversionOptional Example: 2.0.72, Default: latest

So the step now looks like this:

- name: Run script
  uses: azure/CLI@1.0.4
  with:
    inlineScript: |
      $GITHUB_WORKSPACE/github/scripts/script.sh

Probably related to this: https://twitter.com/letsencrypt/status/1443621997288767491

Our cross-signed DST Root CA X3 expired today. If you are hitting an error, check out fixes in our community forum. We're seeing higher than normal renewals, so you may experience a slowdown in getting your certificates.

sdgluck
  • 24,894
  • 8
  • 75
  • 90