Failed in getBuild with error: Error: self signed certificate in certificate chain

[shivanaru]

VSTS Online

Private agent: Win 2012 R2 Datacenter, Agent v 2.133.3

The automated CD deployment is failing on the Release since this morning. It was working fine earlier.
The error is:
2018-05-15T19:16:29.5467063Z ==============================================================================
2018-05-15T19:16:29.5467201Z Task : Download Build Artifacts
2018-05-15T19:16:29.5467283Z Description : Download Build Artifacts
2018-05-15T19:16:29.5467360Z Version : 0.133.4
2018-05-15T19:16:29.5467468Z Author : Microsoft Corporation
2018-05-15T19:16:29.5467540Z Help :
2018-05-15T19:16:29.5467637Z ==============================================================================
2018-05-15T19:16:30.5523744Z Error : in getBuild, so retrying => retries pending : 4
2018-05-15T19:16:34.2060897Z Error : in getBuild, so retrying => retries pending : 3
2018-05-15T19:16:38.2212775Z Error : in getBuild, so retrying => retries pending : 2
2018-05-15T19:16:42.2213719Z Error : in getBuild, so retrying => retries pending : 1
2018-05-15T19:16:46.2409057Z ##[error]Failed in getBuild with error: Error: self signed certificate in certificate chain
2018-05-15T19:16:46.2595096Z ##[error]Error: self signed certificate in certificate chain

[shivanaru]

solved it!

Had to configure the agent on the target server - which I already read on another issue but when I ran the .\config.cmd - it said to remove the agent since the configuration cannot be changed while it exists/runs. Then to re-create the agent, I just got the script from the VSTS and it didn't have the cert param - so was confounded on how to mention the cert in the params for the configuration for the agent. Finally figured it out.

1. To remove the agent:
   c:/vsts/a1> .\config.cmd remove

2. Then get your corp SSL certificate(.pem file) and put it in the root folder of the agent i.e. c:\vsts\a1 in my case. To get the .pem file:
   •Export CA cert from Trusted Root CA Store, use Base64 Encoding X.509 (.CER) format, name the export cert to something like ca.pem.
   •Export any intermediate CA cert from Intermediate CA Store, use Base64 Encoding X.509 (.CER) format, name the export cert to something like ca_inter_1/2/3.pem. Concatenate all intermediate ca certs into ca.pem, your ca.pem might looks like following:
   -----BEGIN CERTIFICATE-----
   (Your Root CA certificate: ca.pem)
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   (Your Intermediate CA certificate: ca_inter_1.pem)
   -----END CERTIFICATE-----
   ...
   -----BEGIN CERTIFICATE-----
   (Your Intermediate CA certificate: ca_inter_n.pem)
   -----END CERTIFICATE-----

3. then run the config command again (to configure the agent again with the sslcacert param and anything else you need)
   .\config.cmd --sslcacert YourCertName.pem --deploymentgroup --deploymentgroupname "deployment-group-name" --agent $env:COMPUTERNAME --runasservice --work '_work' --url 'https://yourcorpname.visualstudio.com/' --projectname 'your-project-name';

(Let me know if you have issues getting this to work - via comments here maybe?)
Hope this helps!

[AnshulMehta187]

Hi
I did this but the system is not able to find the certificate file in the root folder and I am still getting this issue.
I tried skip the SSL certificate validation as well in the cmd but still it gave me the same error while fetching the build artifacts.

[shivanaru]

Hi there, As mentioned in the blog post, you need to copy the certificate ie .pem file to the root of your build agent directory (where you have the config , run files). Then run the config command with sslcacert param. It should work. I did this just yesterday on vsts (azure devops). Feel free to contact me if you have any further questions. Hope this helps. Good luck!! Sent from Pixel 2 XL

…

On Mon, Dec 10, 2018, 3:35 PM AnshulMehta187 ***@***.*** wrote: Hi I did this but the system is not able to find the certificate file in the root folder and I am still getting this issue. I tried skip the SSL certificate validation as well in the cmd but still it gave me the same error while fetching the build artifacts. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#7214 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AkH39SCG6zYCcXihWhQu_TY6xwCJ8ls2ks5u3u_PgaJpZM4UAVrU> .