azure-pipelines-agent: Bug: On Windows, Git is not invoked correctly when client certificates are used

I believe the below is a bug description; I do not have enough knowledge how to properly fix this. Also, the workaround described below might be useful for others who run into this issue.

Situation: I am running self-hosted pipeline agent, connecting to self-hosted Azure Devops server. I have configured the agent with all the certificate options as specified here.

Result:

  • The agent can successfully connect to the Azure Devops server
  • However when running a job, it fails to fetch the source code from TFS Git repository

Issue: sslclientcert value (C:\agent\clientcert.pem) is passed into libcurl via git http.sslcert configuration. This does not work on windows, since libcurl expects a location in the system certificates store instead of a file location. See here and here.

Workaround: As described in the git config, the configuration can be overwritten by setting the environment variable GIT_SSL_CERT. By setting GIT_SSL_CERT to ‘CurrentUser\My<fingerprint>’, I got it to work on my system.

OS: Windows Server 2019

Agent version: 2.150.3

Agent configuration script:

.\config.cmd `
  --agent $agentName `
  --gituseschannel `
  --pool $poolName `
  --sslcacert ca.pem `
  --sslclientcert clientcert.pem `
  --sslclientcertkey clientcert-key-pass.pem `
  --sslclientcertarchive clientcert-archive.pfx `
  --sslclientcertpassword $sslClientCertPassword `
  --token $authToken `
  --unattended `
  --url $tfsUrl `
  --work $workDir

Logs: 2019-05-22T14:18:43.1900866Z ##[section]Starting: Get sources 2019-05-22T14:18:43.2173401Z ============================================================================== 2019-05-22T14:18:43.2173553Z Task : Get sources 2019-05-22T14:18:43.2173622Z Description : Get sources from a repository. Supports Git, TfsVC, and SVN repositories. 2019-05-22T14:18:43.2173670Z Version : 1.0.0 2019-05-22T14:18:43.2173764Z Author : Microsoft 2019-05-22T14:18:43.2173806Z Help : More Information 2019-05-22T14:18:43.2173866Z ============================================================================== 2019-05-22T14:18:44.2814989Z Syncing repository: ISCV (Git) 2019-05-22T14:18:44.2816225Z Prepending Path environment variable with directory containing ‘git.exe’. 2019-05-22T14:18:44.2822543Z ##[command]git version 2019-05-22T14:18:45.2838267Z git version 2.21.0.windows.1 2019-05-22T14:18:45.2838608Z ##[command]git config --get remote.origin.url 2019-05-22T14:18:45.7299836Z ##[command]git config gc.auto 0 2019-05-22T14:18:45.8847867Z ##[command]git config --get-all http.https://tfs.xxx.com/tfs/region/_git/ISCV.extraheader 2019-05-22T14:18:46.3739088Z ##[command]git config --get-all http.proxy 2019-05-22T14:18:47.2475581Z ##[command]git -c http.extraheader=“AUTHORIZATION: bearer ***” -c http.sslcainfo=“C:\agent\ca.pem” -c http.sslcert=“C:\agent\clientcert.pem” -c http.sslkey=“C:\agent\clientcert-key-pass.pem” -c http.sslCertPasswordProtected=true -c core.askpass=“C:\agent_work_temp\f6edb1a9-9750-4ade-8243-73cd2c7105dd.sh” -c http.sslbackend=“schannel” fetch --tags --prune --progress --no-recurse-submodules origin 2019-05-22T14:18:48.6638642Z fatal: unable to access ‘https://tfs.xxx.com/tfs/region/_git/ISCV’: schannel: Failed to get certificate location for C:\agent\clientcert.pem 2019-05-22T14:18:48.6838388Z ##[warning]Git fetch failed with exit code 128, back off 6.374 seconds before retry. 2019-05-22T14:18:55.0573649Z ##[command]git -c http.extraheader=“AUTHORIZATION: bearer ***” -c http.sslcainfo=“C:\agent\ca.pem” -c http.sslcert=“C:\agent\clientcert.pem” -c http.sslkey=“C:\agent\clientcert-key-pass.pem” -c http.sslCertPasswordProtected=true -c core.askpass=“C:\agent_work_temp\f6edb1a9-9750-4ade-8243-73cd2c7105dd.sh” -c http.sslbackend=“schannel” fetch --tags --prune --progress --no-recurse-submodules origin 2019-05-22T14:18:55.8820541Z fatal: unable to access ‘https://tfs.xxx.com/tfs/region/_git/ISCV’: schannel: Failed to get certificate location for C:\agent\clientcert.pem 2019-05-22T14:18:55.8934928Z ##[warning]Git fetch failed with exit code 128, back off 8.261 seconds before retry. 2019-05-22T14:19:04.1573280Z ##[command]git -c http.extraheader=“AUTHORIZATION: bearer ***” -c http.sslcainfo=“C:\agent\ca.pem” -c http.sslcert=“C:\agent\clientcert.pem” -c http.sslkey=“C:\agent\clientcert-key-pass.pem” -c http.sslCertPasswordProtected=true -c core.askpass=“C:\agent_work_temp\f6edb1a9-9750-4ade-8243-73cd2c7105dd.sh” -c http.sslbackend=“schannel” fetch --tags --prune --progress --no-recurse-submodules origin 2019-05-22T14:19:04.9344392Z fatal: unable to access ‘https://tfs.xxx.com/tfs/region/_git/ISCV’: schannel: Failed to get certificate location for C:\agent\clientcert.pem 2019-05-22T14:19:04.9503341Z ##[error]Git fetch failed with exit code: 128 2019-05-22T14:19:04.9752648Z ##[section]Finishing: Get sources

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 19 (6 by maintainers)

Most upvoted comments

Could it be that a client cert on windows agent is currently broken for everyone?

+2
wyarde on May 30, 2019
Read more comments on GitHub
← azure-pipelines-agent: [BUG]:
azure-pipelines-agent: Builds of shelvesets that include files at paths not in the repository mappings causes build to fail →