Azure-pipelines-agent: Certificate error during artefact download when behind SSL proxy

Created on 31 Jan 2018 · 7Comments · Source: microsoft/azure-pipelines-agent

Agent version and platform

Version of your agent? 2.126.0 on Windows 2016

VSTS type and version

VSTS online, local agent

What's not working?

During artefact download stage of release task, error is "Failed in getBuild with error: Error: unable to get local issuer certificate"

This is a new issue, seemingly caused by VSTS upgrade recently as it used to work fine. It is not clear from the error if this comes from git or the agent itself (I am not clear how the artefact is retrieved and the logs don't say).

The proxy also proxies SSL and so we need generally to have our proxy root CA certs installed. They are installed in the windows cert store by default on every server and work as expected. I tried adding the CA certs to the agent git system, global and user ca bundle. No difference. I tried configuring the agent to ignore sslverification. No difference. The agent runs as a custom domain user. Tried adding the CA certs to the agent service user .gitconfig CA bundle location. No difference.

I am at a loss - where do extra CA certs need to go to allow the agent to fetch build artefacts?

Source

plk

👍1

Most helpful comment

@plk not sure whether will work, but can you try the following thing.

download a new copy of the agent
put your CA cert chain under the root of the agent folder, the cert better be .pem
configure agent with config.cmd --sslcacert ./locationtoyourcert.pem

see whether it help.

TingluoHuang on 1 Feb 2018

👍2

All 7 comments

@plk i don't think the cert issue is about git.
i think ReleaseManagement start using node.js script to download build artifact. i think the problem is node.exe doesn't follows windows certificate store.
@omeshp

TingluoHuang on 31 Jan 2018

Hmm, there are env variables in node 7.3+ (https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file) to point to something but this really needs documenting as many large companies proxy SSL and so need their own CA certs for just about anything.

However, latest VSTS agent is using node 6.10 ... looks like 6.6+ has compile-time vars to point to other CA bundles but that's not an option with a distributed node that comes with the VSTS agent. Any suggestions would be useful, this is a complete show-stopper for most organisations that proxy SSL and who need on-prem agents for various things.

plk on 31 Jan 2018

@plk not sure whether will work, but can you try the following thing.

download a new copy of the agent
put your CA cert chain under the root of the agent folder, the cert better be .pem
configure agent with config.cmd --sslcacert ./locationtoyourcert.pem

see whether it help.

TingluoHuang on 1 Feb 2018

👍2

Many thanks - this now works for artefact download.

plk on 1 Feb 2018

@plk cool, glad you unblock, i will close the issue and update the doc.

TingluoHuang on 1 Feb 2018

Thanks @TingluoHuang for taking care of this.

omeshp on 5 Feb 2018

neither has this issue been resolved nor is the workaround feasible for any kind of corporate environment which potentially needs dozens, maybe even hundreds of agents deployed in a reliable, semi-automated manner. This issue needs to be reopened, the entire topic really is a pain regarding Azure DevOps server 2019 server. It _is_ possible to work around with YAML pipelines but apparently not with release pipelines.