azure-pipelines-agent: "The SSL connection could not be established" when configuring agent behind enterprise root cert
Agent Version and Platform
2.194.0, MacOS
Azure DevOps Type and Version
Azure DevOps Services (dev.azure.com)
What’s not working?
I’m attempting to install the Azure DevOps agent behind an enterprise proxy which injects a root certificate. I’ve added that root certificate to the OS X keychain and marked it as trusted, and when I go to https://dev.azure.com in my browser, I see it successfully being served up as trusted using my organization’s root cert. When I try to run config.sh to configure the agent, I get this message, though:
The SSL connection could not be established, see inner exception.
In the generated log, here’s the error I see:
[2021-11-08 22:07:33Z ERR VisualStudioServices] GET request to https://dev.azure.com/progcloud/_apis/connectionData?connectOptions=1&lastChangeId=-1&lastChangeId64=-1 failed. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) (… more boilerplate stacktrace)
The closest thing to guidance I can find is the article on how to Run the agent with a self-signed certificate, which suggests using curl -v to validate that your SSL is working. When I run a curl on the URL in question, the response includes:
- Server certificate:
- subject: CN=dev.azure.com
- start date: Nov 18 13:11:54 2020 GMT
- expire date: Nov 18 13:11:54 2021 GMT
- subjectAltName: host “dev.azure.com” matched cert’s “dev.azure.com”
- issuer: // my organization’s issuer information
- SSL certificate verify ok.
Is there something I’m missing? If my SSL trust chain is validating in the browser and via CURL, is there something else I need to do to cause the agent config utility to validate my cert?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 26 (2 by maintainers)
I just discovered that if I run
export AZP_AGENT_USE_LEGACY_HTTP=trueprior to runningconfig.sh, then my SSL validation works as expected. @anatolybolshakov, if you or anyone more familiar with this codebase can help provide info on what may have changed about SSL validation between the legacy HTTP handler and the new default handler, it would be immensely helpful.Running on Ubuntu 22.04.1 LTS I had to do the following to install the agent. Any one of the solutions above wouldn’t work, I had to have a combination of the solutions:
Edit: I also had to add
export AZP_AGENT_USE_LEGACY_HTTP=trueto the top of therunsvc.shfileAlso having this issue when I upgraded to Ubuntu 22.04 in preparation for that release on 4/21/2022. I am running agents self hosted in docker, managed by kubernetes: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops
When i added the environment variable
It works now.
Worked for me on Ubuntu 22.04 - export AZP_AGENT_USE_LEGACY_HTTP=true
I’m having the same issue as well, started this morning…
If you’re getting an error with
--skipsslcertvalidation, then it sounds like you’re running into something different than what I’m experiencing. In my case,--skipsslcertvalidationcauses the agent registration to work successfully, but then I continue to get other SSL errors when trying to run certain pipeline tasks. But in my case, my certificate is valid and trusted by the MacOS machine, but for some reason won’t pass the pipeline agent’s cert validation.