@High Lin, I have marked your answer as accepted. But I would also add few other steps that I took to fix this answer,
Background:
There are two issues when using any other on-prem boxes other than the one working.
- When trying to download an azure key vault user gets an error
“self-signed certificate in certificate chain”
- When we try to download a universal package from Azure artifact feed
user see’s the same error.
Analysis Performed.
Verified certificate and certificate chain between the working
machine and the one not working.
Verified the azure agent version between the machines.
3. Verified access on the agents.
4. Verified server properties.
-
Verified environmental variables.
The Fix:
Issue 1: When trying to download an azure key vault user gets an error “self-signed certificate in certificate chain”
After realizing that the azure key vault download is a node-based task, it was found that the CA certificate authentication when it comes to HTTPS connections were failing as the problem is node.exe doesn't follow windows certificate store.
So you can try to set a specific environment variable before running your Node.js-based script:
setx NODE_EXTRA_CA_CERTS "/path/to/your/cert.pem"
Note the cert.pem file can be found inside the external folder under Git.
Once this environment variable is set the https libraries can then authenticate with the CA certificate and resolve SSL hand-shake process.
Note: A restart of the windows service (azure agent) might be needed.
Issue 2: When we try to download a universal package from Azure artifact feed user see’s the same error.
Download a new copy of the agent.
Configure agent with config.cmd --sslcacert ./locationtoyourcert.pem
Credits:
http://lpains.net/articles/2020/azure-devops-agent-behind-proxy/
https://medium.com/@jonatascastro12/understanding-self-signed-certificate-in-chain-issues-on-node-js-npm-git-and-other-applications-ad88547e7028
system.debug = true
to get detailed log. – Hugh Lin