TFS Build Agent failing to connect to HTTPS git in TFS 2017 when running as service

后端 未结 6 2343
礼貌的吻别
礼貌的吻别 2021-02-15 03:51

We are using an internal certificate on our server and I\'ve followed the steps in

https://blogs.msdn.microsoft.com/tfssetup/2016/12/19/error-ssl-certificate-problem-una

相关标签:
6条回答
  • 2021-02-15 04:26

    Since you can't manually using the build agent account to run the command. Please double check if you or your mates ever modified the permission for "Project Collection Build Service" account. If you do not have, please add one.

    Also confirm your build agent version, make sure have updated to the latest. You could use another new build agent instead of this one to narrow down the issue.

    If above couldn't figured out the issue, you may need some more diagnostic info such as give a Fiddler trace.

    0 讨论(0)
  • 2021-02-15 04:31

    fatal: unable to access <server>: SSL certificate problem: unable to get local issuer

    Sometimes running the following command appears to work but it hasn't!

    C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

    To check what I mean run this:

    git config --list --show-origin
    

    This will list all the Git Config files on the PC.

    What worked for me is checking the c:\ProgramData/Git/config file.

    I had to format mine (newlines and Tabs) and manually had to add the sslVerify and the sslCAInfo (for some reason in this environment they weren't getting set).

    [core]  
        symlinks = false  
        autocrlf = true  
        fscache = true  
    [color]  
        diff = auto  
        status = auto  
        branch = auto  
        interactive = true  
    [pack]  
    [help]  
        format = html  
    [http]  
        sslVerify = false  
        sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
    Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt  
    [diff "astextplain"]  
        textconv = astextplain  
    [rebase]  
        autosquash = true  
    

    This allows a Service Account (with no login rights) to access the Git repo.

    I learnt that VS2017 doesn't play well with Gits ca-bundle: https://developercommunity.visualstudio.com/content/problem/48517/visual-studio-2017-ssl-certificate-problem-unale-t.html

    Instead of this:

    sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
    

    I use this:

    sslCAInfo = C:/Program Files (x86)/Microsoft Visual 
        Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt  
    

    Obviously when you get this going remove sslVerify = false

    0 讨论(0)
  • 2021-02-15 04:34

    I ran into this problem as well. Are you sure you updated the correct custom trust-store? The one in the agent directory \externals\git\mingw64\ssl\certs\ca-bundle.crt ? This seems to be the one that the agent uses nowadays. So even though your system git may be working fine, the agent won't use that and thus won't trust your self-signed SSL cert.

    update: if that fails too, you could try running the git.exe in there and setting the sslVerify flag to false, e.g.:

    C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false

    0 讨论(0)
  • 2021-02-15 04:36

    So I found a better command than disabling https verification globally, hopefully though this will be better handled in future updates to the build agent.

    git config --global http."https://YOURTFS.SERVER.HERE:PORT/".sslVerify false

    That will only disable it from verifying on your (hopefully internal) git server.

    0 讨论(0)
  • 2021-02-15 04:44

    This is what I did to resolve the issue.

    • Download latest GIT from https://git-scm.com/downloads

    • During installation setup, select Windows Certificate store for SSL.

    • Go to Program files and copy the latest GIT folder.

    • Replace the git folder inside the agent/externals with the latest GIT folder.

    • Restart agent and build again.

    0 讨论(0)
  • 2021-02-15 04:45

    I have an internally issued cert (not self-signed) for TFS. Here are the steps I took to get this working for my scenario:

    1. I followed step 1 of this guide, then dropped the exported cert into the certs folder, which looked something like this: E:\agent\1\externals\git\mingw64\ssl\certs.
    2. After that, I followed the directions here to set the git config. The command(s) for that looked like this:

      git config --global http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"
      git config --system http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"
      
    3. The last thing I did was restart the agent service and everything was fine after that.

    EDIT: I'm also running the agent under a build service domain account.

    0 讨论(0)
提交回复
热议问题