`unable to verify the first certificate` when SSL Certificate error is not ignored

[LokiMidgard]

I have an Setup where the TFS and the agents are using Domain certificates. When I don't ignore SSL Certificate errors, I get the error unable to verify the first certificate.

Where do I need to install the certificate? The OS on the agent accepts the certificates. I needed to use --gituseschannel when configureing the agent, so git works.

[huserben]

Hi @LokiMidgard

I'm no expert in the configuration of the agents, and I think this is more related to that than to the task itself. Maybe you can check out the following docs if you haven't already, it seems like there needs to be done something special to make it work with a domain certificate: https://github.com/Microsoft/vsts-agent/blob/master/docs/design/clientcert.md

Let me know if it helped, if not, we can try to dig deeper

[huserben]

Hi again @LokiMidgard

I did some heavy refactoring over the past few days and the task is now internally using a microsoft library to access the server. This means that the behavior you're experiencing might have changed, as before I was accessing the server with some third party library that I had to configure manually.

If you want to give it another try and see if it changed, you can do so by installing the latest version of the extension and then switch the task to the version 3 (Preview).

[LokiMidgard]

Hi,

sorry for the silence. I'm currently on vacation. I don't know if I can check it already this week. I hope I get to this in the next week.

[huserben]

No problem, no hurry, I just wanted to let you know that it might work now.

[LokiMidgard]

I was able to test it.

And I think it worked :)
Thank you.

Are there any changes I should be aware of. I don't think something in the UI changed.

[huserben]

The changes in the UI are very minimal, im case you trigger a build in the same team project, there are non actually.

What has changed is that the communication in the back to the server is not done "manually" by my code but using an official service from microsoft. Thats why I thought they probably handle these cases already, and it seems that the assumption was correct. :-)