发表新帖
发表新帖

TFS Build Agent failing to connect to HTTPS git in TFS 2017 when running as service

后端 未结
关注
6 2333
礼貌的吻别
礼貌的吻别 2021-02-15 03:51

We are using an internal certificate on our server and I\'ve followed the steps in

https://blogs.msdn.microsoft.com/tfssetup/2016/12/19/error-ssl-certificate-problem-una

相关标签:
6条回答
  • 粉色の甜心
    2021-02-15 04:26

    Since you can't manually using the build agent account to run the command. Please double check if you or your mates ever modified the permission for "Project Collection Build Service" account. If you do not have, please add one.

    Also confirm your build agent version, make sure have updated to the latest. You could use another new build agent instead of this one to narrow down the issue.

    If above couldn't figured out the issue, you may need some more diagnostic info such as give a Fiddler trace.

    0 讨论(0)
  • 孤独总比滥情好
    2021-02-15 04:31

    fatal: unable to access <server>: SSL certificate problem: unable to get local issuer

    Sometimes running the following command appears to work but it hasn't!

    C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

    To check what I mean run this:

    git config --list --show-origin

    This will list all the Git Config files on the PC.

    What worked for me is checking the c:\ProgramData/Git/config file.

    I had to format mine (newlines and Tabs) and manually had to add the sslVerify and the sslCAInfo (for some reason in this environment they weren't getting set).

    [core]  
    symlinks = false  
    autocrlf = true  
    fscache = true  
[color]  
    diff = auto  
    status = auto  
    branch = auto  
    interactive = true  
[pack]  
[help]  
    format = html  
[http]  
    sslVerify = false  
    sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt  
[diff "astextplain"]  
    textconv = astextplain  
[rebase]  
    autosquash = true

    This allows a Service Account (with no login rights) to access the Git repo.

    I learnt that VS2017 doesn't play well with Gits ca-bundle: https://developercommunity.visualstudio.com/content/problem/48517/visual-studio-2017-ssl-certificate-problem-unale-t.html

    Instead of this:

    sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt

    I use this:

    sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
    Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt

    Obviously when you get this going remove sslVerify = false

    0 讨论(0)
  • 佛祖请我去吃肉
    2021-02-15 04:34

    I ran into this problem as well. Are you sure you updated the correct custom trust-store? The one in the agent directory \externals\git\mingw64\ssl\certs\ca-bundle.crt ? This seems to be the one that the agent uses nowadays. So even though your system git may be working fine, the agent won't use that and thus won't trust your self-signed SSL cert.

    update: if that fails too, you could try running the git.exe in there and setting the sslVerify flag to false, e.g.:

    C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

    0 讨论(0)
  • 一个人的身影
    2021-02-15 04:36

    So I found a better command than disabling https verification globally, hopefully though this will be better handled in future updates to the build agent.

    git config --global http."https://YOURTFS.SERVER.HERE:PORT/".sslVerify false

    That will only disable it from verifying on your (hopefully internal) git server.

    0 讨论(0)
  • 闹比i
    2021-02-15 04:44

    This is what I did to resolve the issue.

    • Download latest GIT from https://git-scm.com/downloads

    • During installation setup, select Windows Certificate store for SSL.

    • Go to Program files and copy the latest GIT folder.

    • Replace the git folder inside the agent/externals with the latest GIT folder.

    • Restart agent and build again.

    0 讨论(0)
  • 太阳男子
    2021-02-15 04:45

    I have an internally issued cert (not self-signed) for TFS. Here are the steps I took to get this working for my scenario:

    1. I followed step 1 of this guide, then dropped the exported cert into the certs folder, which looked something like this: E:\agent\1\externals\git\mingw64\ssl\certs.

    2. After that, I followed the directions here to set the git config. The command(s) for that looked like this: 

      git config --global http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"
git config --system http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"

    3. The last thing I did was restart the agent service and everything was fine after that.

    EDIT: I'm also running the agent under a build service domain account.

    0 讨论(0)
 看不清?
提交回复
热议问题