TFS Build Agent failing to connect to HTTPS git in TFS 2017 when running as service

9
votes

We are using an internal certificate on our server and I've followed the steps in

https://blogs.msdn.microsoft.com/tfssetup/2016/12/19/error-ssl-certificate-problem-unable-to-get-local-issuer-certificate/

as well as the steps here:

https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/

Error when running as a service:

git version
git config --get remote.origin.url
git config gc.auto 0
git config --get-all http.https://ourtfsserver:8443/tfs/path/_git/project.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress origin
fatal: unable to access 'https://ourtfsserver:8443/tfs/path/_git/project/': SSL certificate problem: unable to get local issuer certificate
##[error]Git fetch failed with exit code: 128

When running with the same agent config but using .\run.cmd instead of as a service (same credentials) it works successfully:

git version
git config --get remote.origin.url
git config gc.auto 0
git config --get-all http.https://ourtfsserver:8443/tfs/path/_git/project.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress origin
git checkout --progress --force {hash here}
(and continues onto next steps)

However, when I try to run it manually using our build agent account it gives the same Git fetch failed with exit code: 128 as above. I can manually git clone using these credentials though.

So I've tried:

git config –global http.sslVerify false

as well as manually setting the config file to include that variable.

I've also installed the certificate using IE to get it per the 2nd blog post.

I can manually pull down the project without issue as well, both as my account and our build agent account using git clone https://ourtfsserver:8443/tfs/path/_git/project c:\somefolder

I'm using the TFS 2017 Update 1 RC2 From Feb 13th 2017 (https://www.visualstudio.com/en-us/news/releasenotes/tfs2017-update1), the previous version wouldn't let our build agent connect at all to tfs https properly. Our old TFS 2015 build agent still works, but is missing the new features from the v2 agents.

Edit: Using set HTTP_PROXY=https://localhost:8888 I was able to get VSTS to use fiddler as a proxy and it made one request:

CONNECT our.local.tfs.fqdn:8443 HTTP/1.1
Host: our.local.tfs.fqdn:8443
User-Agent: git/2.10.0 (vsts-agent-git/2.112.0)

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)
(bunch of other stuff it decrypted here)

for Auth it had:

No Proxy-Authorization Header is present.

No Authorization Header is present.
6
gitssltfs
Did you restart the build service after following the steps in the link? And a similar issue here: github.com/Microsoft/vsts-agent/issues/688Eddie Chen - MSFT
@Eddie-MSFT Yeah I've restarted that whole server a few times trying to get it to work :( Yeah I saw that link before and tried to do the same thing they have, also how I ended up with the blog in my OP. I wish that setting the SSL_Verify to false would work, as its internal I don't really care about SSL that much, we only enabled it because it was required by the build agent in the first place to use PAT or other auth types.John

6 Answers

3
votes

This is what I did to resolve the issue.

  • Download latest GIT from https://git-scm.com/downloads

  • During installation setup, select Windows Certificate store for SSL.

  • Go to Program files and copy the latest GIT folder.

  • Replace the git folder inside the agent/externals with the latest GIT folder.

  • Restart agent and build again.

2
votes

I ran into this problem as well. Are you sure you updated the correct custom trust-store? The one in the agent directory \externals\git\mingw64\ssl\certs\ca-bundle.crt ? This seems to be the one that the agent uses nowadays. So even though your system git may be working fine, the agent won't use that and thus won't trust your self-signed SSL cert.

update: if that fails too, you could try running the git.exe in there and setting the sslVerify flag to false, e.g.:

C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

2
votes

So I found a better command than disabling https verification globally, hopefully though this will be better handled in future updates to the build agent.

git config --global http."https://YOURTFS.SERVER.HERE:PORT/".sslVerify false

That will only disable it from verifying on your (hopefully internal) git server.

1
votes

I have an internally issued cert (not self-signed) for TFS. Here are the steps I took to get this working for my scenario:

  1. I followed step 1 of this guide, then dropped the exported cert into the certs folder, which looked something like this: E:\agent\1\externals\git\mingw64\ssl\certs.

  2. After that, I followed the directions here to set the git config. The command(s) for that looked like this: 

    git config --global http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"
git config --system http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"

  3. The last thing I did was restart the agent service and everything was fine after that.

EDIT: I'm also running the agent under a build service domain account.

1
votes

fatal: unable to access <server>: SSL certificate problem: unable to get local issuer

Sometimes running the following command appears to work but it hasn't!

C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

To check what I mean run this:

git config --list --show-origin

This will list all the Git Config files on the PC.

What worked for me is checking the c:\ProgramData/Git/config file.

I had to format mine (newlines and Tabs) and manually had to add the sslVerify and the sslCAInfo (for some reason in this environment they weren't getting set).

[core]  
    symlinks = false  
    autocrlf = true  
    fscache = true  
[color]  
    diff = auto  
    status = auto  
    branch = auto  
    interactive = true  
[pack]  
[help]  
    format = html  
[http]  
    sslVerify = false  
    sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt  
[diff "astextplain"]  
    textconv = astextplain  
[rebase]  
    autosquash = true

This allows a Service Account (with no login rights) to access the Git repo.

I learnt that VS2017 doesn't play well with Gits ca-bundle: https://developercommunity.visualstudio.com/content/problem/48517/visual-studio-2017-ssl-certificate-problem-unale-t.html

Instead of this:

sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

I use this:

sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
    Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt

Obviously when you get this going remove sslVerify = false

0
votes

Since you can't manually using the build agent account to run the command. Please double check if you or your mates ever modified the permission for "Project Collection Build Service" account. If you do not have, please add one.

enter image description here

Also confirm your build agent version, make sure have updated to the latest. You could use another new build agent instead of this one to narrow down the issue.

If above couldn't figured out the issue, you may need some more diagnostic info such as give a Fiddler trace.