azure-pipelines-agent: [VSTS Agent] Unable to install vsts agent on Ubuntu Server 22.04 LTS
Having issue with Azure-Pipelines/VSTS/TFS?
Ubuntu Server 22.04 LTS has openssl 3.0 on board by default which causes issue with connecting a vsts-agent to Azure DevOps.
Agent Version and Platform
Version of your agent? v2.202.1
OS of the machine running the agent? Ubuntu Server 22.04 LTS
Azure DevOps Type and Version
https://dev.azure.com/buildcanary/
What’s not working?
[2022-05-03 17:57:29Z ERR VisualStudioServices] GET request to https://dev.azure.com/buildcanary/_apis/connectionData?connectOptions=1&lastChangeId=-1&lastChangeId64=-1 failed. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception.
---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception.
---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception.
---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name
Agent and Worker’s Diagnostic Logs
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 42
- Comments: 75 (11 by maintainers)
How is this still an open issue? When is this going to get resolved?
This is probably due to the OpenSSL config. Try this: sudo sed -i ‘s/openssl_conf = openssl_init/#openssl_conf = openssl_init/g’ /etc/ssl/openssl.cnf
Having the same issue here. A clean install of Ubuntu Server 22.04 LTS, when I try to run the ./config.sh it fails after inserting the personal access token with the message:
When I try to run /bin/installdependencies.sh I get the following errors:
I took a look at the dependencies myself, it seems Ubuntu 22.04 uses the following versions:
After installing these versions manually, the config.sh still fails to find a usable version of libssl.
Thank you, this worked, but
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.16_amd64.deb
returns a 404 now. It has been bumped up to version 17:If you only apply @alexandrejulien’s solution and get the following new error:
Then you can fix that by applying @francisrpereira’s solution as well.
In a Dockerfile this looks like this:
I would strongly recommend against using
--sslskipcertvalidation
orAZP_AGENT_USE_LEGACY_HTTP=true
because of the security implications.With that said, I wonder what commenting out the line
openssl_conf = openssl_init
does. Could you elaborate on that @francisrpereira?@al-cheb Azure DevOps Agent still uses .NET Core 3.1.
We have plans to upgrade the agent to .NET Core 6.0, but we need to check if there are any breaking changes.
Just to be clear to the maintainers, I don’t view “ninja-patch the not-supported-by-the-distro copy of OpenSSL onto the box” as an acceptable workaround. We want to run Azure Pipelines on Ubuntu 22.04 to ensure that we work for Ubuntu 22.04 customers who are not going to have done this hack to get OpenSSL 1.x on their boxes. The supported version of OpenSSL on Ubuntu 22.04 is 3.x, and we need to respect that decision.
https://github.com/microsoft/azure-pipelines-agent/releases/tag/v3.212.0
There is a .NET 6 based pre-release agent.
https://devblogs.microsoft.com/devops/upgrade-of-net-agent-for-azure-pipelines/
FWIW I had to use this package to get it to work
The combination of what @alexandrejulien and @francisrpereira suggested did the trick for me:
For the one interested: the workarounds written in ansible:
Yes, still need to do the work-around. I’ve updated our above script to “auto-detect” the latest
libssl1.1
if you passLIBSSLVERSION="latest"
to it. Thought this might be of use to someone, you should be able to adapt it as necessary:Hopefully we’ll see an updated agent soon and not need to jump through these hoops! 😄
Essentially we need to install an older OpenSSL version:
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1l-1ubuntu1.5_amd64.deb && sudo dpkg -i libssl1.1_1.1.1l-1ubuntu1.5_amd64.deb && rm libssl1.1_1.1.1l-1ubuntu1.5_amd64.deb
And then do:sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf
Usual M$ crap… 😦
Hello,
This hack works fine on Ubuntu 22.04.
The problem is linked with OpenSSL 3.0 but you can add OpenSSL 1.1 on Ubuntu 22.04. Azure Pipelines uses .NET 3.1 which is not compatible with OpenSSL 3.0 (Only .NET 5-6 I think)
For adding OpenSSL 1.1 librairies on Ubuntu
or more simple
After you can reload the installer and it works fine for me.
Does this mean things are progressing?
https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
Might be worth mentioning #3922 and #3879 here, as migration to .NET 6 should fix this.
Starting 3.225.0 all scripts are capable with libssl.
Closing this issue
‘fixed’ by again making that a frakenstein Ubuntu 22.04
Just a friendly reminder that when you install stuff out of your configured repositories you won’t be getting any automatic updates to these packages.
Sorry, just saying this so that maybe Google finds this. The error message there is:
@alexandrejulien
This is a summary about my machine and OS
when I attempt to install the agent
I get the following screenshot
this is the output of
/home/ubuntu/azagent/_diag/Agent_20220713-235125-utc.log
well the issue is pretty clear @alexandrejulien and installing openssl 1.1 is what I’ve also tried before without any luck… now i tried it eben with the .deb package like you provided and still no luck. I hope the agent will be patched to .NET 6 soon.
This issue seems to have been corrected as of June 2023 - I was able to install an Azure Agent v3.220.2 on Ubuntu 22.04.2 normally, without any workaround, and it worked without issue.
Just run the config and run I did not have to run `./bin/installdependencies.sh
On Thu, 11 May 2023 at 18:32, mr.lioncub @.***> wrote:
I had to install libssl1.1 from here: https://ubuntu.pkgs.org/18.04/ubuntu-main-arm64/libssl1.1_1.1.0g-2ubuntu4_arm64.deb.html, and then the azure agent started working.
I couldn’t get this working on Ubuntu but did on Fedora 36 Server with just the following:
sudo dnf install dotnet-sdk-3.1 export AZP_AGENT_USE_LEGACY_HTTP=true
The issue still persists with
vsts-agent-linux-x64-2.209.0.tar.gz
on Ubuntu 22.04 LTS. The workaround described by @oviliz works fine.guys your support is crucial 💔
On my side i succeeded with Alexandre Julien workaround.
I had to do 2 additional things to make it works completely:
https://stackoverflow.com/questions/69875520/unable-to-negotiate-with-40-74-28-9-port-22-no-matching-host-key-type-found-th