OSX trusting private certificate authority

[metri]

Hi! Our tfs server is configured to work only with https.

However, when I try to configure the following message appears:

Error starting the agent unable to get local issuer certificate

I tried to add a root certificate (over update-ca-certificates) on your Debian build-agent, but it did not help.

I use https://github.com/Microsoft/vso-agent/releases/download/0.5.8/xplat0.5.8Linux64.tar.gz .

[bryanmacfarlane]

The agent works fine with https. We use it everydat against VSO

It sound like the issue is with your linux machine and whoever the certificate authority is.

[metri]

Yep. VSO-agent is normaly configuring and run on https://myname.visualstudio.com/DefaultCollection/ . But... oh. But on https://tfsserver.mycompany.com/tfs there is a problem with the certificate. Problem may be occurs in the embedded node.js / npm? We have our own certifying server, but I added it to the root of my debian build agent.

Oh, sory for my english.

[andyfisher100]

i think i have a similar issue on MAC.

We use Active Directory Cert Services and created a certificate for our on-prem TFS server. I then logged onto the mac and installed the certificate chain into the system keychain and set the root as "always trust".

If i open safari and navigate to the TFS URL, the browser says the certificate is fine and the connection is encrypted.

When i run through the on prem setup documentation for the agent and do run.sh, i get an openSSL error of "Unable to verify the first certificate". Searching online for this error doesn't give much information and i cant understand why i can navigate to the TFS server in safari and the browser says everything is fine with the certificate chain but the agent setup complains.

[metri]

I found the problem. It was really due node.js. Adding environment variables _NODE_TLS_REJECTUNAUTHORIZED="0" help solve the problem, but it is not a good solution.

[bryanmacfarlane]

I think that is just telling node to ignore issues with https. The issue is still with the machine https and figuring out why it's having issues trusting the certificate authority. That make the root issue in the machibne/config. either way, not an agent code issue.