Generating Self Singed Certificated for TeamCity Agent & Connection to Teamcity Server in Docker

[gauravcanon]

We are evaluating Teamcity for an Enterprise solution.

What I am trying to achieve.

✅ Create and host Teamcity Server
✅ It is working with SSL able to access outside the home network
✅ Install Agent 1 and check the connection with the Teamcity server
✗ Agent SSL handshake with Teamcity Server

• I don't know how to set up an agent to talk to the Teamcity server using SSL tried this link. But this is for standalone installation not for docker image.
• Hosting Agent and Teamcity server on same WSL Docker environment
• Tried this link. But not clear in terms of docker
• Custom server certificate #41 This issue I tried to follow but didn't get working

My Docker Compose

  version: '3.3'
  networks:
     teamcity:
            driver: bridge
  services:
        nginx-proxy:
            container_name: nginx-proxy
            image: jwilder/nginx-proxy
            labels:
                com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
            ports:
                    - "80:80"
                    - "443:443"
            volumes:
                    - /var/run/docker.sock:/tmp/docker.sock:ro
                    - /usr/share/nginx/html
                    - ./teamcity/nginx/certs:/etc/nginx/certs:ro
                    - ./teamcity/nginx/vhost:/etc/nginx/vhost.d
            environment:
                    - DEFAULT_HOST=teamcity.mydomain.com
            networks:
                    - teamcity
        nginx-letsencrypt:
            container_name: nginx-letsencrypt
            image: jrcs/letsencrypt-nginx-proxy-companion
            environment:
                    - NGINX_PROXY_CONTAINER=nginx-proxy
            volumes:
                 - ./teamcity/nginx/certs:/etc/nginx/certs:rw
                 - /var/run/docker.sock:/var/run/docker.sock:ro
            volumes_from:
              - "nginx-proxy"
            networks:
                 - teamcity
        teamcity-server:
                container_name: teamcity-server-instance
                user: root
                volumes:
                    - './teamcity/data:/data/teamcity_server/datadir'
                    - './teamcity/logs/:/opt/teamcity/logs'
                ports:
                    - '8111:8111'
                image: jetbrains/teamcity-server
                environment:
                    - VIRTUAL_HOST=teamcity.mydomain.com
                    - LETSENCRYPT_HOST=teamcity.mydomain.com
                    - LETSENCRYPT_EMAIL=support@mydomain.com
                    - SERVER_URL=teamcity.mydomain.com
                depends_on:
                    - postgres
                networks:
                    - teamcity
        postgres:
                image: postgres:10
                volumes:
                    - ./postgress/srv/postgresql/data:/var/lib/postgresql/data
                environment:
                    - POSTGRES_PASSWORD=******
                    - POSTGRES_USER=*****
                    - POSTGRES_DB=teamcity
                expose:
                    - 5432
                ports:
                    - "5432:5432"
                networks:
                    - teamcity
        teamcity-agent-1:
                container_name: teamcity-agent-1
                user: root
                environment:
                    - 'SERVER_URL=https://teamcity-server-instance:8111'
                    - DOCKER_IN_DOCKER=start
                volumes:
                    - ./agent1/conf:/data/teamcity_agent/conf
                    - ./agent1/volumes:/var/lib/docker

                privileged: true
                depends_on:
                    - teamcity-server-instance
                links:
                  - "teamcity-server-instance"
                image: jetbrains/teamcity-agent
                networks:
                    - teamcity                

Error from Agent Log :

[2021-12-29 07:09:19,354]   WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://teamcity.mydomain.com/app/agents/protocols. Will try later: java.net.ConnectException: Connection refused (Connection refused) (enable debug to see stacktrace)

[2021-12-29 07:09:19,354]   WARN - buildServer.AGENT.registration - Error registering on the server via URL https://teamcity.mydomain.com. Will continue repeating connection attempts.

What I am missing

[alec-drw]

Old but I just ran into the same problem. This is applicable on the jetbrains/teamcity-agent:2021.1.2-linux-sudo image. I was able to fix it as follows:

Firstly, you need to grab agent.sh from /opt/buildagent/bin/agent.sh from the Dockerfile, as you will need to make two edits.

Changes to agent.sh:

TEAMCITY_AGENT_OPTS_ACTUAL="$TEAMCITY_AGENT_OPTS -ea $TEAMCITY_AGENT_MEM_OPTS_ACTUAL -Dteamcity_logs=$LOG_DIR/ -Djavax.net.ssl.keyStore=/opt/java/openjdk/jre/lib/security/cacerts -Djavax.net.ssl.trustStore=/opt/java/openjdk/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit"

And within the start|run) function of agent.sh:

keytool -importcert -noprompt -alias mycert -file /data/teamcity_agent/conf/trustedCertificates/mycert.crt \
        -keystore /opt/java/openjdk/jre/lib/security/cacerts -storepass changeit

Finally, copy the cert and updated agent.sh file to the Dockerfile:

RUN mkdir -p /data/teamcity_agent/conf/trustedCertificates
COPY certs/mycert /data/teamcity_agent/conf/trustedCertificates/mycert.crt
COPY agent.sh /opt/buildagent/bin/agent.sh

[approximate]

You don't have to patch the Dockerfile or rebuild the image: a correct combination of environment variables ($TEAMCITY_AGENT_OPTS) and mounted keystores (/data/teamcity_agent/conf/trustedCertificates) would work just fine:

# First, import your certificate into a keystore file (mind the keystore type, the default/implicit one failed in my tests)
keytool -importcert -alias my_cert -file ~/my_cert.pem -deststoretype jks -keystore /etc/teamcity_agent/conf/trustedCertificates/my_keystore.jks -storepass changeit

# Now, run the agent
sudo docker run -e 'TEAMCITY_AGENT_OPTS=-Djavax.net.ssl.keyStore=/data/teamcity_agent/conf/trustedCertificates/my_keystore.jks -Djavax.net.ssl.trustStore=/data/teamcity_agent/conf/trustedCertificates/my_keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit' -e SERVER_URL="https://teamcity.internal.your-org.com" -v /etc/teamcity_agent/conf/:/data/teamcity_agent/conf --name TeamcityAgent -u 0 --privileged -e DOCKER_IN_DOCKER=start jetbrains/teamcity-agent:2021.1.1-linux-sudo

(I had to run Docker-in-Docker, hence this specific image and addition options)

What I also tried but unsuccessfully:

• (contrary to the official documentation) just putting PEM and/or JKS files into /data/teamcity_agent/conf/trustedCertificates without adding the $TEAMCITY_AGENT_OPTS environment variable: the certificates and keystores seem to be ignored, the agent throws errors about failing the certificate validation;
• using keytool without specifying keystore format: Java thrown an error about wrong file format.

Hope this helps.