Azure devops - Universal download SSL error

0
votes

I have a zip file uploaded to azure artifacts using the azure universal upload task.

I have two windows azure on-prem agents. I have full access in both. When I am using one of the agent as my release agent to download the artifact using universal upload azure task, the download from the artifact package feed works fine but in the other, I get an error as Failed to get artifact tool. self-signed certificate in the certificate chain.

Since I have full access in both boxes is there anything I can do to compare the boxes or do to fix this issue?

2
azureazure-devopscontinuous-deployment
Can you share the error log here? When running the pipeline ,you can set the variable system.debug = true to get detailed log.Hugh Lin
Not get your latest information, is the workaround helpful for you? Or if you have any concern, feel free to share it here.Hugh Lin

2 Answers

0
votes

1.You can check if the versions of two self-hosted agents are the same. You can try to update the failed agent to the latest version.

enter image description here

2.Trying out the steps mentioned in this ticket and check if that resolves the issue.

  • download a new copy of the agent
  • put your CA cert chain under the root of the agent folder, the cert better be .pem
  • configure agent with config.cmd --sslcacert ./locationtoyourcert.pem

For details , please refer to this blog.

0
votes

@High Lin, I have marked your answer as accepted. But I would also add few other steps that I took to fix this answer,

Background: There are two issues when using any other on-prem boxes other than the one working.

  1. When trying to download an azure key vault user gets an error “self-signed certificate in certificate chain”
  2. When we try to download a universal package from Azure artifact feed user see’s the same error.

Analysis Performed.

  1. Verified certificate and certificate chain between the working machine and the one not working.

  2. Verified the azure agent version between the machines.

3. Verified access on the agents.

4. Verified server properties.

  1. Verified environmental variables.

The Fix:

Issue 1: When trying to download an azure key vault user gets an error “self-signed certificate in certificate chain” After realizing that the azure key vault download is a node-based task, it was found that the CA certificate authentication when it comes to HTTPS connections were failing as the problem is node.exe doesn't follow windows certificate store.

So you can try to set a specific environment variable before running your Node.js-based script:

setx NODE_EXTRA_CA_CERTS "/path/to/your/cert.pem" Note the cert.pem file can be found inside the external folder under Git.

Once this environment variable is set the https libraries can then authenticate with the CA certificate and resolve SSL hand-shake process.

Note: A restart of the windows service (azure agent) might be needed.

Issue 2: When we try to download a universal package from Azure artifact feed user see’s the same error. Download a new copy of the agent.

Configure agent with config.cmd --sslcacert ./locationtoyourcert.pem

Credits: http://lpains.net/articles/2020/azure-devops-agent-behind-proxy/

https://medium.com/@jonatascastro12/understanding-self-signed-certificate-in-chain-issues-on-node-js-npm-git-and-other-applications-ad88547e7028