TFS Build Agent failing to connect to HTTPS git in TFS 2017 when running as service

Question

We are using an internal certificate on our server and I've followed the steps in

https://blogs.msdn.microsoft.com/tfssetup/2016/12/19/error-ssl-certificate-problem-unable-to-get-local-issuer-certificate/

as well as the steps here:

https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/

Error when running as a service:

git version
git config --get remote.origin.url
git config gc.auto 0
git config --get-all http.https://ourtfsserver:8443/tfs/path/_git/project.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress origin
fatal: unable to access 'https://ourtfsserver:8443/tfs/path/_git/project/': SSL certificate problem: unable to get local issuer certificate
##[error]Git fetch failed with exit code: 128

When running with the same agent config but using .\run.cmd instead of as a service (same credentials) it works successfully:

git version
git config --get remote.origin.url
git config gc.auto 0
git config --get-all http.https://ourtfsserver:8443/tfs/path/_git/project.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress origin
git checkout --progress --force {hash here}
(and continues onto next steps)

However, when I try to run it manually using our build agent account it gives the same Git fetch failed with exit code: 128 as above. I can manually git clone using these credentials though.

So I've tried:

git config –global http.sslVerify false

as well as manually setting the config file to include that variable.

I've also installed the certificate using IE to get it per the 2nd blog post.

I can manually pull down the project without issue as well, both as my account and our build agent account using git clone https://ourtfsserver:8443/tfs/path/_git/project c:\somefolder

I'm using the TFS 2017 Update 1 RC2 From Feb 13th 2017 (https://www.visualstudio.com/en-us/news/releasenotes/tfs2017-update1), the previous version wouldn't let our build agent connect at all to tfs https properly. Our old TFS 2015 build agent still works, but is missing the new features from the v2 agents.

Edit: Using set HTTP_PROXY=https://localhost:8888 I was able to get VSTS to use fiddler as a proxy and it made one request:

CONNECT our.local.tfs.fqdn:8443 HTTP/1.1
Host: our.local.tfs.fqdn:8443
User-Agent: git/2.10.0 (vsts-agent-git/2.112.0)

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)
(bunch of other stuff it decrypted here)

for Auth it had:

No Proxy-Authorization Header is present.

No Authorization Header is present.

Answer 1

This is what I did to resolve the issue.

• Download latest GIT from https://git-scm.com/downloads

• During installation setup, select Windows Certificate store for SSL.

• Go to Program files and copy the latest GIT folder.

• Replace the git folder inside the agent/externals with the latest GIT folder.

• Restart agent and build again.

Answer 2

I ran into this problem as well. Are you sure you updated the correct custom trust-store? The one in the agent directory \externals\git\mingw64\ssl\certs\ca-bundle.crt ? This seems to be the one that the agent uses nowadays. So even though your system git may be working fine, the agent won't use that and thus won't trust your self-signed SSL cert.

update: if that fails too, you could try running the git.exe in there and setting the sslVerify flag to false, e.g.:

C:\agent\externals\git\cmd\git.exe config --global http.sslVerify false