Starting on October 1, 2021, an Azure Pipeline using the Download Artifacts - Teamcity task which runs on a Windows agent began failing with this error:
No details are in the logs with debug turned on to indicate what certificate in the chain it believes is expired.
The TeamCity server the task tried to download an artifact from runs with Let's Encrypt certs, and had a valid cert at the time of this error. Because of the date on which the problems began, this root certificate change may be a factor: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
In researching this issue, I found references that Node.Js uses it's own root certificate store to verify certificate chains instead of the OS one. It's possible the version of Node or one of it's dependancies is old enough to lack the newer Let's Encrypt ISRG Root X1 cert. Or it's possibly leveraging OpenSSL 1.0.x, which has a known issue resolving the above root cert. (https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816)
For now the issue is being worked around by adding a variable to the pipeline of Agent.SkipCertValidation = true.
Starting on October 1, 2021, an Azure Pipeline using the Download Artifacts - Teamcity task which runs on a Windows agent began failing with this error:
[error]Error: certificate has expired
As far as I can tell, the Download TeamCity Artifact task comes from this extension: https://github.com/microsoft/azure-pipelines-extensions/tree/master/Extensions/TeamCity/Src
No details are in the logs with debug turned on to indicate what certificate in the chain it believes is expired.
The TeamCity server the task tried to download an artifact from runs with Let's Encrypt certs, and had a valid cert at the time of this error. Because of the date on which the problems began, this root certificate change may be a factor: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
In researching this issue, I found references that Node.Js uses it's own root certificate store to verify certificate chains instead of the OS one. It's possible the version of Node or one of it's dependancies is old enough to lack the newer Let's Encrypt ISRG Root X1 cert. Or it's possibly leveraging OpenSSL 1.0.x, which has a known issue resolving the above root cert. (https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816)
For now the issue is being worked around by adding a variable to the pipeline of Agent.SkipCertValidation = true.