bryanmacfarlane
commented
8 years ago That output is coming out of node.js. A quick search revealed: http://stackoverflow.com/questions/31673587/error-unable-to-verify-the-first-certificate-in-nodejs
Closed rusergeev closed 8 years ago
bryanmacfarlane
commented
8 years ago That output is coming out of node.js. A quick search revealed: http://stackoverflow.com/questions/31673587/error-unable-to-verify-the-first-certificate-in-nodejs
bryanmacfarlane
commented
8 years ago Perhaps we need to do the inject call? Will look into it.
rusergeev
commented
8 years ago I cannot install the package ssl-roo-cas to try to inject
someuser@somevm:~/agent/node_modules$ ../runtime/node/bin/npm i ssl-root-cas --save
npm ERR! Linux 4.4.0-21-generic
npm ERR! argv "/home/someuser/agent/runtime/node/bin/node" "/home/someuser/agent/runtime/node/bin/npm" "i" "ssl-root-cas" "--save"
npm ERR! node v5.6.0
npm ERR! npm v3.6.0
npm ERR! Cannot read property 'target' of null
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR! /home/someuser/agent/node_modules/npm-debug.log
andyfisher100
commented
8 years ago I'd like to "upvote" the option of adding the inject if this will fix the issue and happy to help with some testing. We have two TFS app tiers that are load balanced using a Citrix Netscaler and we have put in the work to make this SSL only in order to turn on basic authentication in IIS, for the benefit of cross platform build agents.
We have now added the full chain to the netscaler so that when we make a request to the server the full certificate chain is supplied but we now get the issue of "Message: self signed certificate in certificate chain" when trying to connect to TFS when configuring the build agent.
We used Microsoft active directory certificate services to create a root and intermediate certificate and then created the server certificate afterwards. There is no reason why the cross platform build agent or TFS CLI (Happens on windows with this app too) would trust these certificates when connecting which is as expected, but there is no way to tell the applications to trust these certificates.
It basically means if you configure SSL with a self signed certificate chain, you cannot use the cross platform build agent or the TFS command line to upload custom build tasks. This is a huge blocker for us.
bryanmacfarlane
commented
8 years ago Can you try the new agent that is replacing this one? https://github.com/Microsoft/vsts-agent
rusergeev
commented
8 years ago Yes, I tried two previews. I will do the new 2.101 as well. Thanks for letting me know.
andyfisher100
commented
8 years ago Tried this on a Mac running OS X Yosemite and v2.101.0 Preview
I hit a problem running the agent as a service. The failure was that the Library directory for my user account does not have a sub directory called LaunchAgents. The LaunchAgent folder is a sub directory of the root Library folder.
Enter run agent as service? (Y/N) (press enter for N) > y Creating launch agent in /Users/Andy/Library/LaunchAgents/vsts.agent.livetfs.apwasu34.plist Failed: /Users/Andy/Library/LaunchAgents does not exist. OSX system dir expected
As a workaround i created a LaunchAgents directory in /Users/Andy/Library/ and the service started, successfully authenticating using negotiate over HTTPS.
I created a new build definition for a TFSGit repo to run a hello world shell script which queued and ran without any issues. My only comment here would be that some lines of the build output log, in TFS web access, are impossible to read as they are in an aqua colour. Example of two lines below that where in aqua colour.
2016-05-26T15:46:04.9091290Z ##[command]git config gc.auto 0 2016-05-26T15:46:05.0241920Z ##[command]git -c http.extraheader="AUTHORIZATION: bearer ****" fetch --tags --prune --progress origin
Finally, I just noticed what looks like a hardcoded value in the build log:
2016-05-26T15:46:04.6943450Z warning: templates not found /Users/stiliev/projects/gitwinout//share/git-core/templates
I will raise these issues on the github page for thew new agent. Keep up the good work!
rusergeev
commented
8 years ago I tried the new agent Preview 5 v2.101.0 on Ubuntu.(https://github.com/Microsoft/vsts-agent)
Enter run agent as service? (Y/N) (press enter for N) > y Never worked
However my problem persists: when schedule a build:
Starting: Build
API resource location 60aac929-f0cd-4bc8-9ce4-6b30e8f1b1bd is not registered on https://tfs.company.com/tfs/COLLECTION1/.
Finishing: BuildYou'll have to provide more info then Y.
ericsciple
commented
8 years ago @rusergeev make sure you configured the agent against the server url https://tfs.company.com/tfs, and not the collection url https://tfs.company.com/tfs/COLLECTION1
rusergeev
commented
8 years ago @ericsciple, I registered against http://tfs.company.com/tfs, that is an error message, which also display COLLECTION1.
My projects in this COLLECTION1, which is out of my control. My company.com dictates that.
rusergeev
commented
8 years ago Anyway, we got the first sertificate solved by adding full certificate chain to trusted certificates.
bryanmacfarlane
commented
8 years ago Is there anything I can add to docs? Can you detail the steps and commands? It might help someone else ...
rusergeev
commented
8 years ago @bryanmacfarlane, it is maybe a good idea to add an SSL connection check to a troubleshooting section, if you have any. I will update you with my procedure (couple lines) after Memorial Day, when got back to my office.
I am trying to install the agent on Ubuntu got an issue: when running ./run.sh it give me "unable to verify the first certificate"
However my Linux talks SSL with the TFS server: root certificate is in ca-sertificates and the issuing and TFS server certificates are trusted.
Any suggestion for troubleshooting? What exactly could not verify the first certificate? And what is the first certificate?
I cannot register the agent because of this.