Azure-pipelines-agent: Self-signed certificates.

Created on 20 Jun 2016  路  20Comments  路  Source: microsoft/azure-pipelines-agent

Agent version and platform

v2.102.0


Ubuntu 16.04

What's not working?

Is there a way to disable verification of self-signed certificates?

Agent and Worker's diag log

[2016-06-20 11:14:58Z INFO Terminal] WRITE LINE: Connecting to server ...
[2016-06-20 11:14:58Z INFO CommandSettings] Flag 'unattended': 'False'
[2016-06-20 11:14:58Z ERR Terminal] WRITE ERROR (exception):
[2016-06-20 11:14:58Z ERR Terminal] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: Peer certificate cannot be authenticated with given CA certificates
at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference1 easyWrapper, CURLcode messageResult) --- End of inner exception stack trace --- at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.<SendAsync>d__3.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Net.Http.HttpClient.<FinishSendAsync>d__58.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.d__45.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__421.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.<GetConnectionDataAsync>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.Client.VssServerDataProvider.d__39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.VisualStudio.Services.Agent.AgentServer.d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.d__8.MoveNext()
[2016-06-20 11:14:58Z ERR Terminal] WRITE ERROR: Failed to connect. Try again or ctrl-c to quit
[2016-06-20 11:14:58Z INFO CommandSettings] Arg 'url': ''
[2016-06-20 11:14:58Z INFO CommandSettings] Flag 'unattended': 'False'
[2016-06-20 11:14:58Z INFO PromptManager] ReadValue
[2016-06-20 11:14:58Z INFO Terminal] WRITE: Enter server URL >
[2016-06-20 11:14:58Z INFO Terminal] READ LINE
[2016-06-20 11:15:15Z INFO Terminal] WRITE LINE: Exiting...

question
Source
picture KefRisen

Most helpful comment

Yes, I meant adding some option for this, not ignore it by default.

picture KefRisen on 13 Jul 2016
👍3

All 20 comments

@KefRisen Have you tried this: http://askubuntu.com/questions/530056/install-root-certificate-on-ubuntu-14-04-64-bit

ericsciple picture ericsciple on 21 Jun 2016

Yes, I have tried this, but it wasn't help.

KefRisen picture KefRisen on 21 Jun 2016

I believe the underlying libraries use libcurl. Do you also get an error when using the curl command line utility? If so, then I think making that work is the key to making the agent work.

ericsciple picture ericsciple on 22 Jun 2016

I have found error cause. There are wrong certificates.
But it will be actually great to add option for ignoring wrong certificates I think.
Sorry for disturbing.

KefRisen picture KefRisen on 22 Jun 2016

Thanks for following up. We will look into that.

Can you elaborate on "wrong certificates" just to make sure when we try to fix, we repro correctly?

bryanmacfarlane picture bryanmacfarlane on 22 Jun 2016

Adding root certificate to ubuntu did't work cause one of certificates in chain has been expired on tsf server.

By ignoring wrong certificate I mean ignore verification of self-signet certificates.
Something like "--insecure" option in curl.

KefRisen picture KefRisen on 22 Jun 2016

Another valid scenario for ignoring certificate errors: On Premises TFS 2015 joined to a domain that doesn't have a "right" certificate chain. In this case, the certificate isn't self signed, but the certificate chain doesn't have, as per libcurl, a valid root certification authority.

ypupo2002 picture ypupo2002 on 13 Jul 2016

I'm not sure we should ignore certificate errors. Some security minded folks using certificates may actually care. Best we could do is perhaps an envvar or config

bryanmacfarlane picture bryanmacfarlane on 13 Jul 2016

Yes, I meant adding some option for this, not ignore it by default.

KefRisen picture KefRisen on 13 Jul 2016
👍3

Exactly, the certificate validation should be enforced by default, but we should have a way to bypass it when needed.

ypupo2002 picture ypupo2002 on 13 Jul 2016

@ypupo2002 have you tried trusting the root cert on your machine? The issue @KefRisen ran into was that one of the certs in the chain was expired.

ericsciple picture ericsciple on 13 Jul 2016

On a side note, in the past many folks required HTTPS because they were using Basic authentication. NTLM is now supported on OSX/Linux in this agent. Does that help?

ericsciple picture ericsciple on 13 Jul 2016

@ericsciple Yes, trusting the root ca works like a charm, but in some scenarios this is more cumbersome that having a way to trust the certificates: auto provisioning build agents or a root ca which certificates expires too often.

Our deployment uses only HTTPS/SSL.

ypupo2002 picture ypupo2002 on 14 Jul 2016

I've faced similar problem today:
'[2016-07-14 16:13:58Z ERR Terminal] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL connect error
at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)
--- End of inner exception stack trace ---
at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
....
[2016-07-14 16:13:58Z ERR Terminal] WRITE ERROR: Failed to connect. Try again or ctrl-c to quit'
Adding server cert to /etc/ssl/certs/ca-certificates.crt didn't help me.
There is only one self-signed cert in the chain.
Any suggestions?

maxoris picture maxoris on 14 Jul 2016

What platform are you on? For Ubuntu, this post suggest to place the crt file in /usr/local/share/ca-certificates and run update-ca-certificates.

ericsciple picture ericsciple on 14 Jul 2016

I've followed this steps (On Ubuntu 16.04) to trust the server certificate and successfully registered the agent.

ypupo2002 picture ypupo2002 on 14 Jul 2016
👍1

Great. We'll leave this open to track docs and the option to skip trust check (if possible)

bryanmacfarlane picture bryanmacfarlane on 14 Jul 2016

@ericsciple I'm using Ubuntu 14.04.
Server certificate was added to /etc/ssl/certs/ca-certificates.crt, /etc/ca-certificates.conf contains line with path to my cert, and I'm still getting an error.
curl -v tells me "SSL certificate problem: unable to get local issuer certificate".

maxoris picture maxoris on 15 Jul 2016

another way to do this:
http://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

TingluoHuang picture TingluoHuang on 5 Oct 2016

I managed to get things working and have written down my findings on this blog: https://medium.com/@MRiezebosch/vsts-agent-tfs-on-premise-with-an-unofficial-certificate-for-testing-purposes-only-465541913760

riezebosch picture riezebosch on 26 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

johncollinson2001 picture johncollinson2001  路  4Comments
CodeCasterNL picture CodeCasterNL  路  4Comments
moorichardmoo picture moorichardmoo  路  5Comments
riezebosch picture riezebosch  路  4Comments
rusergeev picture rusergeev  路  4Comments