We have SSL inspection turn on in our on-premise environment. We are able to run the self-hosted agent with a cert using this command ".\config.cmd --sslcacert cacert.pem" as you can see from this log:
2019-09-04T20:36:49.2001937Z ##[debug]Agent.CAInfo=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\cacert.pem
However, when we ran the Azure Key Vault task, we are still getting this "Error: self signed certificate in certificate chain." This means the Key Vault task is not using the cert.
Temporary work around for us is to bypass SSL inspection with 2 URLS: login.windows.net xxx-kv.vault.azure.net (actual keyvault task)
Full Debug log when running Azure Key Vault task:
2019-09-04T20:36:48.5271195Z ##[section]Starting: Azure Key Vault: XXX-KV
2019-09-04T20:36:48.5633898Z ==============================================================================
2019-09-04T20:36:48.5634124Z Task : Azure Key Vault
2019-09-04T20:36:48.5634269Z Description : Download Azure Key Vault secrets
2019-09-04T20:36:48.5634436Z Version : 1.155.0
2019-09-04T20:36:48.5634589Z Author : Microsoft Corporation
2019-09-04T20:36:48.5634739Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
2019-09-04T20:36:48.5634909Z ==============================================================================
2019-09-04T20:36:49.1806715Z ##[debug]agent.TempDirectory=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_temp
2019-09-04T20:36:49.1855381Z ##[debug]loading inputs and endpoints
2019-09-04T20:36:49.1880068Z ##[debug]loading ENDPOINT_AUTH_8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.1896857Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_AUTHENTICATIONTYPE
2019-09-04T20:36:49.1904896Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_SERVICEPRINCIPALID
2019-09-04T20:36:49.1912609Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_SERVICEPRINCIPALKEY
2019-09-04T20:36:49.1919718Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_TENANTID
2019-09-04T20:36:49.1926908Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2019-09-04T20:36:49.1932604Z ##[debug]loading ENDPOINT_AUTH_SCHEME_8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.1938483Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2019-09-04T20:36:49.1944016Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2019-09-04T20:36:49.1951040Z ##[debug]loading INPUT_CONNECTEDSERVICENAME
2019-09-04T20:36:49.1956493Z ##[debug]loading INPUT_KEYVAULTNAME
2019-09-04T20:36:49.1962116Z ##[debug]loading INPUT_SECRETSFILTER
2019-09-04T20:36:49.1976755Z ##[debug]loaded 12
2019-09-04T20:36:49.2000363Z ##[debug]Agent.ProxyUrl=undefined
2019-09-04T20:36:49.2001937Z ##[debug]Agent.CAInfo=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\cacert.pem
2019-09-04T20:36:49.2002201Z ##[debug]Agent.ClientCert=undefined
2019-09-04T20:36:49.2002457Z ##[debug]expose agent certificate configuration.
2019-09-04T20:36:49.2002978Z ##[debug]Agent.SkipCertValidation=undefined
2019-09-04T20:36:49.2361569Z ##[debug]agent.proxyurl=undefined
2019-09-04T20:36:49.2362396Z ##[debug]VSTS_ARM_REST_IGNORE_SSL_ERRORS=undefined
2019-09-04T20:36:49.2363096Z ##[debug]AZURE_HTTP_USER_AGENT=VSTS_dc216ba3-25e9-46a8-823a-fb77a81f2a9f_Release__1792_3286_5
2019-09-04T20:36:49.3499232Z ##[debug]Agent.TempDirectory=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_temp
2019-09-04T20:36:49.3580461Z ##[debug]Setting resource path to C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3582279Z ##[debug]check path : C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3585807Z ##[debug]adding resource file: C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3586610Z ##[debug]system.culture=en-US
2019-09-04T20:36:49.3645635Z ##[debug]ConnectedServiceName=8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.3646702Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data SubscriptionId = e0279acf-930e-4937-abbf-f45670343bcf
2019-09-04T20:36:49.3660205Z ##[debug]KeyVaultName=XXX-KV
2019-09-04T20:36:49.3667591Z ##[debug]SecretsFilter=*
2019-09-04T20:36:49.3674107Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultDnsSuffix = vault.azure.net
2019-09-04T20:36:49.3680310Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalid = ***
2019-09-04T20:36:49.3695138Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth scheme = ServicePrincipal
2019-09-04T20:36:49.3711060Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data subscriptionid = xxx
2019-09-04T20:36:49.3711521Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data subscriptionname = xxx
2019-09-04T20:36:49.3718207Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalid = ***
2019-09-04T20:36:49.3718578Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data environmentAuthorityUrl = https://login.windows.net/
2019-09-04T20:36:49.3723634Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param tenantid = ***
2019-09-04T20:36:49.3724897Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4=https://management.azure.com/
2019-09-04T20:36:49.3725191Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data environment = AzureCloud
2019-09-04T20:36:49.3731459Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth scheme = ServicePrincipal
2019-09-04T20:36:49.3731928Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data msiclientId = undefined
2019-09-04T20:36:49.3732261Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data activeDirectoryServiceEndpointResourceId = https://management.core.windows.net/
2019-09-04T20:36:49.3732543Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultServiceEndpointResourceId = https://vault.azure.net
2019-09-04T20:36:49.3732765Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultDnsSuffix = vault.azure.net
2019-09-04T20:36:49.3732970Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data ScopeLevel = Subscription
2019-09-04T20:36:49.3739455Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param authenticationType = ***
2019-09-04T20:36:49.3739758Z ##[debug]credentials spn endpoint
2019-09-04T20:36:49.3744895Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalkey = ***
2019-09-04T20:36:49.3745190Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data EnableAdfsAuthentication = false
2019-09-04T20:36:49.3749942Z ##[debug]{"subscriptionID":"xxx","subscriptionName":"xxx","servicePrincipalClientID":"***","environmentAuthorityUrl":"https://login.windows.net/","tenantID":"***","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"ServicePrincipal","activeDirectoryResourceID":"https://management.azure.com/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription","authenticationType":"***","servicePrincipalKey":***,"isADFSEnabled":false,"applicationTokenCredentials":{"clientId":"***","domain":"***","baseUrl":"https://management.azure.com/","authorityUrl":"https://login.windows.net/","activeDirectoryResourceId":"https://management.azure.com/","isAzureStackEnvironment":false,"authType":"***","secret":***,"isADFSEnabled":false}}
2019-09-04T20:36:49.3801318Z SubscriptionId: e0279acf-930e-4937-abbf-f45670343bcf.
2019-09-04T20:36:49.3801630Z Key vault name: XXX-KV.
2019-09-04T20:36:49.3804177Z ##[debug]set SYSTEM_UNSAFEALLOWMULTILINESECRET=true
2019-09-04T20:36:49.3806438Z ##[debug]Processed: ##vso[task.setvariable variable=SYSTEM_UNSAFEALLOWMULTILINESECRET;issecret=false;]true
2019-09-04T20:36:49.3807530Z ##[debug]Downloading all secrets from subscriptionId: e0279acf-930e-4937-abbf-f45670343bcf, vault: XXX-KV
2019-09-04T20:36:49.3815679Z Downloading secrets using: https://XXX-KV.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01.
2019-09-04T20:36:49.3837017Z ##[debug][POST]https://login.windows.net/***/oauth2/token/
2019-09-04T20:36:49.8075826Z ##[debug][GET]https://XXX-KV.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01
2019-09-04T20:36:50.1199696Z ##[debug]Processed: ##vso[task.logissue type=error;code=SELF_SIGNED_CERT_IN_CHAIN;]
2019-09-04T20:36:50.1200310Z ##[debug]{"code":"SELF_SIGNED_CERT_IN_CHAIN"}
2019-09-04T20:36:50.1200536Z ##[debug]task result: Failed
2019-09-04T20:36:50.1201010Z ##[error]Get secrets failed. Error: self signed certificate in certificate chain.
expected result: when self-hosted agent is setup to run with the cert, all the tasks executed by the agent should be the same as well.