Self signed certificate in certificate chain error - Variable Group - Azure Key Vault

[beolis]

Required Information

Question, Bug, or Feature?
Type: Question

Enter Task Name: Azure Key Vault

Environment

• Server - Azure Pipelines or TFS on-premises?

  - If using Azure Pipelines, provide the account name, team project name, build definition name/build number:

1. Have pushed the same credentials to a cloud system during a build pipeline to test; no errors.
   2. Current issue is using a release pipeline and pushing credentials by same method to private agent; error received.

• Agent - Hosted or Private:

  - If using private agent, provide the OS of the machine running the agent and the agent version:

Microsoft Windows Server 2019 Datacenter agent v2.160.1 (commit 8c04bd1)

Issue Description

The company utilises SSL inspection on its networks. We run the self-hosted agent with a certificate using the generated Powershell from Azure DevOps plus the additional parameter "--sslcacert cacert.pem" following the advice from (1), specifically the section titled "Work with SSL client certificate".

A release pipeline is used to make a number of Secrets from an Azure Key Vault available through a linked variable group, scope set to entire release.

While running the release pipeline the Azure Key Vault task fails due to an error: Self signed certificate in certificate chain The Key Vault task cannot be configured to continue on error.

Note: Instances of the task DownloadBuildArtficats honour the sslcacert setting and function as expected.

This behaviour has been mentioned before on MicrosoftDocs (2), and also in azure-pipelines-agent (3).

Question: Is it fair to assume that the Key Vault task requires all the benefits offered by enciphered data transfer, and is why self-signed certificates are not recognised as this could potentially compromise the data?

(1) https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/certificate?view=azure-devops-2019

(2) https://github.com/MicrosoftDocs/vsts-docs/issues/5501

(3) https://github.com/Microsoft/azure-pipelines-agent/issues/1820

Task logs

Currently unable to provide, too much data to sanitise.

Error logs

Environment specific data has been removed from the output:

2019-12-19T01:15:57.1444793Z ##[section]Starting: Download secrets: DevOpsCreds
2019-12-19T01:15:57.1615952Z ==============================================================================
2019-12-19T01:15:57.1616224Z Task         : Azure Key Vault
2019-12-19T01:15:57.1616296Z Description  : Download Azure Key Vault secrets
2019-12-19T01:15:57.1616355Z Version      : 1.155.8
2019-12-19T01:15:57.1616406Z Author       : Microsoft Corporation
2019-12-19T01:15:57.1616488Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
2019-12-19T01:15:57.1616564Z ==============================================================================
2019-12-19T01:15:57.5350493Z SubscriptionId: x
2019-12-19T01:15:57.5350891Z Key vault name: x
2019-12-19T01:15:57.5369302Z Downloading secret value for: x
2019-12-19T01:15:57.5587281Z Downloading secret value for: x
2019-12-19T01:15:57.5590471Z Downloading secret value for: x
2019-12-19T01:15:58.5969489Z ##[error]
x: "self signed certificate in certificate chain"
x: "self signed certificate in certificate chain"
x: "self signed certificate in certificate chain"
2019-12-19T01:15:58.6001802Z ##[section]Finishing: Download secrets: x

[beolis]

Any update on this issue? Thanks!

[beolis]

Updated the azure pipelines agent to 2.165.0, still an issue.

Any updates on this issue at all?

[jpdias92]

I'm having the exact same problem.

If instead of using the task I use the Azure CLI task with az keyvault secret ... then I can retrieve the secret but of course, that's not a great workaround...

A solution for this issue would be great

[jpdias92]

In my case, the culprit was the corporate proxy I had configured the agents with. I solved the problem by adding a proxy bypass rule, following these instructions: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/proxy?view=azure-devops&tabs=windows#specify-proxy-bypass-urls

The specific url to add to the rule, I got by enabling the system diagnostics. In the case of Azure Key Vault, I would expect it to be always the same. The regex expression I use is login\.windows\.net

[beolis]

Thanks for the input @jpdias92, really glad to hear that you found a solution!

I've given the proxy bypass a try within our environment, however, for us the SSL interception used is technically not a proxy and won't work as expected.

In the end we added an exception for the resource to get around this issue, in addition to using the PS module: AzureRM.KeyVault for other interactions.

[mdlopresti]

Having the same issue here. Would love a solution so I don't have to create a workaround.

[kmkumaran]

@rohit-batra / @ammohant - Can you review the request.

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[dabrantkosky]

Still having this issue.

[mdlopresti]

Same

[kimpatrickdelosreyes]

What was the solution for this error. Encountering it running on self hosted agent

[debug][POST]https://login.windows.net/***/oauth2/token/

[debug]Processed: ##vso[task.logissue type=error;code=SELF_SIGNED_CERT_IN_CHAIN;]

[debug]{"code":"SELF_SIGNED_CERT_IN_CHAIN"}

[debug]task result: Failed

[error]Get secrets failed. Error: self signed certificate in certificate chain.

[payini]

Having the same issue. Is there any solution for this?

[sstarcher]

Please reopen this issue.

[sstarcher]

If you supply this variable to the system it works as this code is NodeJS - https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

[mariolopezbdf]

Please reopen