问题
We are using an internal certificate on our server and I've followed the steps in
https://blogs.msdn.microsoft.com/tfssetup/2016/12/19/error-ssl-certificate-problem-unable-to-get-local-issuer-certificate/
as well as the steps here:
https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/
Error when running as a service:
git version
git config --get remote.origin.url
git config gc.auto 0
git config --get-all http.https://ourtfsserver:8443/tfs/path/_git/project.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress origin
fatal: unable to access 'https://ourtfsserver:8443/tfs/path/_git/project/': SSL certificate problem: unable to get local issuer certificate
##[error]Git fetch failed with exit code: 128
When running with the same agent config but using .\run.cmd instead of as a service (same credentials) it works successfully:
git version
git config --get remote.origin.url
git config gc.auto 0
git config --get-all http.https://ourtfsserver:8443/tfs/path/_git/project.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress origin
git checkout --progress --force {hash here}
(and continues onto next steps)
However, when I try to run it manually using our build agent account it gives the same Git fetch failed with exit code: 128 as above. I can manually git clone using these credentials though.
So I've tried:
git config –global http.sslVerify false
as well as manually setting the config file to include that variable.
I've also installed the certificate using IE to get it per the 2nd blog post.
I can manually pull down the project without issue as well, both as my account and our build agent account using git clone https://ourtfsserver:8443/tfs/path/_git/project c:\somefolder
I'm using the TFS 2017 Update 1 RC2 From Feb 13th 2017 (https://www.visualstudio.com/en-us/news/releasenotes/tfs2017-update1), the previous version wouldn't let our build agent connect at all to tfs https properly. Our old TFS 2015 build agent still works, but is missing the new features from the v2 agents.
Edit: Using set HTTP_PROXY=https://localhost:8888 I was able to get VSTS to use fiddler as a proxy and it made one request:
CONNECT our.local.tfs.fqdn:8443 HTTP/1.1
Host: our.local.tfs.fqdn:8443
User-Agent: git/2.10.0 (vsts-agent-git/2.112.0)
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
(bunch of other stuff it decrypted here)
for Auth it had:
No Proxy-Authorization Header is present.
No Authorization Header is present.
回答1:
This is what I did to resolve the issue.
Download latest GIT from https://git-scm.com/downloads
During installation setup, select Windows Certificate store for SSL.
Go to Program files and copy the latest GIT folder.
Replace the git folder inside the agent/externals with the latest GIT folder.
Restart agent and build again.
回答2:
I ran into this problem as well. Are you sure you updated the correct custom trust-store? The one in the agent directory \externals\git\mingw64\ssl\certs\ca-bundle.crt ? This seems to be the one that the agent uses nowadays. So even though your system git may be working fine, the agent won't use that and thus won't trust your self-signed SSL cert.
update: if that fails too, you could try running the git.exe in there and setting the sslVerify flag to false, e.g.:
C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false
回答3:
So I found a better command than disabling https verification globally, hopefully though this will be better handled in future updates to the build agent.
git config --global http."https://YOURTFS.SERVER.HERE:PORT/".sslVerify false
That will only disable it from verifying on your (hopefully internal) git server.
回答4:
I have an internally issued cert (not self-signed) for TFS. Here are the steps I took to get this working for my scenario:
- I followed step 1 of this guide, then dropped the exported cert into the certs folder, which looked something like this: E:\agent\1\externals\git\mingw64\ssl\certs.
After that, I followed the directions here to set the git config. The command(s) for that looked like this:
git config --global http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer" git config --system http."https://tfs/tfs/".sslCAInfo "path\to\cert\certificate.cer"The last thing I did was restart the agent service and everything was fine after that.
EDIT: I'm also running the agent under a build service domain account.
回答5:
fatal: unable to access <server>: SSL certificate problem: unable to get local issuer
Sometimes running the following command appears to work but it hasn't!
C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false
To check what I mean run this:
git config --list --show-origin
This will list all the Git Config files on the PC.
What worked for me is checking the c:\ProgramData/Git/config file.
I had to format mine (newlines and Tabs) and manually had to add the sslVerify and the sslCAInfo (for some reason in this environment they weren't getting set).
[core]
symlinks = false
autocrlf = true
fscache = true
[color]
diff = auto
status = auto
branch = auto
interactive = true
[pack]
[help]
format = html
[http]
sslVerify = false
sslCAInfo = C:/Program Files (x86)/Microsoft Visual
Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt
[diff "astextplain"]
textconv = astextplain
[rebase]
autosquash = true
This allows a Service Account (with no login rights) to access the Git repo.
I learnt that VS2017 doesn't play well with Gits ca-bundle: https://developercommunity.visualstudio.com/content/problem/48517/visual-studio-2017-ssl-certificate-problem-unale-t.html
Instead of this:
sslcainfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
I use this:
sslCAInfo = C:/Program Files (x86)/Microsoft Visual
Studio/2017/Enterprise/Common7/IDE/CommonExtensions/Microsoft/TeamFoundation/Team Explorer/Git/mingw32/ssl/certs/ca-bundle.crt
Obviously when you get this going remove sslVerify = false
回答6:
Since you can't manually using the build agent account to run the command. Please double check if you or your mates ever modified the permission for "Project Collection Build Service" account. If you do not have, please add one.
Also confirm your build agent version, make sure have updated to the latest. You could use another new build agent instead of this one to narrow down the issue.
If above couldn't figured out the issue, you may need some more diagnostic info such as give a Fiddler trace.
来源:https://stackoverflow.com/questions/42263725/tfs-build-agent-failing-to-connect-to-https-git-in-tfs-2017-when-running-as-serv