search

microsoft / vso-agent

Visual Studio Team Services and TFS agent for Mac OSX and Linux
MIT License
132 stars 57 forks source link

Error configuring agent: "Unable to verify the first certificate" #254

Closed andyfisher100 closed 8 years ago

andyfisher100 commented 8 years ago

I'm trying to setup the agent on a MAC for my on prem TFS instance.

The TFS 2015 Update 2 RC2 Instance is hosted on a windows box with SSL enabled and basic authentication on the TFS Web Site in IIS. The SSl certificates used for TFS are created from our Microsoft Active Directory Certificate Cervices instance and are in the following chain. RootCA > SubCA > WebServerCert

The MAC is currently running Yosemite Version of OS X. I uploaded the RootCA and Sub CA to the keychain and as a result, when i navigate to the TFS url via a browser, i can access the site without any certificate issues being reported.

When i try and configure the agent on the MAC, i get the following error: Error starting the agent unable to verify the first certificate

From searching around, this looks error like an OpenSSL error and if i run the following command from a terminal window, i get the same error: $ openssl s_client -connect tfsserverurl:443 Verify Return Code: 21 (unable to verify the first certificate)

However, that command allows you to also specify the location of the CA file on the machine and if i do this, this successfully verifies. $ openssl s_client -connect tfsserverurl:443 -CAfile /path/SubCA.cer Verify Return Code: 0 (ok)

Any idea how i can resolve this issue so that i can configure the agent?

bryanmacfarlane commented 8 years ago

This looks to be external to the agent. You need to get your mac able to talk ssl (the first command should work). We're not even handling the ssl layer - we're going through node which is using libcurl so this is an OS config issue

rusergeev commented 8 years ago

I am trying to install the on Ubuntu Linux agent and got a similar issue: when running ./run.sh it give me "unable to verify the first certificate"

somebuild@somevm:~$ ./run.sh
Enter alternate username > someuser
Enter alternate password >
Enter server url > https://tfs.some.url.com/tfs/
Enter agent name (enter sets somevm)  >
Enter agent pool name (enter sets default)  > somepool
Enter force basic (enter is false)  > true
Error starting the agent
**unable to verify the first certificate**

However my Linux talks SSL with the TFS server (not without effort)

somebuild@somevm:~$ openssl s_client -connect tfs.some.url.com:443
CONNECTED(00000003)
...
Secure Renegotiation IS supported
SSL-Session:
    Protocol  : TLSv1
...
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Any suggestion troubleshooting?

rusergeev commented 8 years ago

I opened a new question: welcome