TFS Build Agent failing to connect to HTTPS git in TFS 2017 when running as service

Question

We are using an internal certificate on our server and I\'ve followed the steps in

https://blogs.msdn.microsoft.com/tfssetup/2016/12/19/error-ssl-certificate-problem-una

Answer 1

fatal: unable to access : SSL certificate problem: unable to get local issuer

Sometimes running the following command appears to work but it hasn't!

C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

To check what I mean run this:

git config --list --show-origin

This will list all the Git Config files on the PC.

What worked for me is checking the c:\ProgramData/Git/config file.

I had to format mine (newlines and Tabs) and manually had to add the sslVerify and the sslCAInfo (for some reason in this environment they weren't getting set).

[core]  
    symlinks = false  
    autocrlf = true  
    fscache = true  
[color]  
    diff = auto  
    status = auto  
    branch = auto  
    interactive = true  
[pack]  
[help]  
    format = html  
[http]  
    sslVerify = false  
    sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt  
[diff "astextplain"]  
    textconv = astextplain  
[rebase]  
    autosquash = true  

This allows a Service Account (with no login rights) to access the Git repo.

I learnt that VS2017 doesn't play well with Gits ca-bundle: https://developercommunity.visualstudio.com/content/problem/48517/visual-studio-2017-ssl-certificate-problem-unale-t.html

Instead of this:

sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

I use this:

sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
    Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt  

Obviously when you get this going remove sslVerify = false