azure-pipelines-tasks: Self signed certificate in certificate chain error - Variable Group - Azure Key Vault
Required Information
Question, Bug, or Feature?
Type: Question
Enter Task Name: Azure Key Vault
Environment
-
Server - Azure Pipelines or TFS on-premises?
- If using Azure Pipelines, provide the account name, team project name, build definition name/build number:
- Have pushed the same credentials to a cloud system during a build pipeline to test; no errors.
- Current issue is using a release pipeline and pushing credentials by same method to private agent; error received.
-
Agent - Hosted or Private:
- If using private agent, provide the OS of the machine running the agent and the agent version:
Microsoft Windows Server 2019 Datacenter agent v2.160.1 (commit 8c04bd1)
Issue Description
The company utilises SSL inspection on its networks. We run the self-hosted agent with a certificate using the generated Powershell from Azure DevOps plus the additional parameter “–sslcacert cacert.pem” following the advice from (1), specifically the section titled “Work with SSL client certificate”.
A release pipeline is used to make a number of Secrets from an Azure Key Vault available through a linked variable group, scope set to entire release.
While running the release pipeline the Azure Key Vault task fails due to an error:
Self signed certificate in certificate chain
The Key Vault task cannot be configured to continue on error.
Note: Instances of the task DownloadBuildArtficats honour the sslcacert setting and function as expected.
This behaviour has been mentioned before on MicrosoftDocs (2), and also in azure-pipelines-agent (3).
Question: Is it fair to assume that the Key Vault task requires all the benefits offered by enciphered data transfer, and is why self-signed certificates are not recognised as this could potentially compromise the data?
(1) https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/certificate?view=azure-devops-2019
(2) https://github.com/MicrosoftDocs/vsts-docs/issues/5501
(3) https://github.com/Microsoft/azure-pipelines-agent/issues/1820
Task logs
Currently unable to provide, too much data to sanitise.
Error logs
Environment specific data has been removed from the output:
2019-12-19T01:15:57.1444793Z ##[section]Starting: Download secrets: DevOpsCreds
2019-12-19T01:15:57.1615952Z ==============================================================================
2019-12-19T01:15:57.1616224Z Task : Azure Key Vault
2019-12-19T01:15:57.1616296Z Description : Download Azure Key Vault secrets
2019-12-19T01:15:57.1616355Z Version : 1.155.8
2019-12-19T01:15:57.1616406Z Author : Microsoft Corporation
2019-12-19T01:15:57.1616488Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
2019-12-19T01:15:57.1616564Z ==============================================================================
2019-12-19T01:15:57.5350493Z SubscriptionId: x
2019-12-19T01:15:57.5350891Z Key vault name: x
2019-12-19T01:15:57.5369302Z Downloading secret value for: x
2019-12-19T01:15:57.5587281Z Downloading secret value for: x
2019-12-19T01:15:57.5590471Z Downloading secret value for: x
2019-12-19T01:15:58.5969489Z ##[error]
x: "self signed certificate in certificate chain"
x: "self signed certificate in certificate chain"
x: "self signed certificate in certificate chain"
2019-12-19T01:15:58.6001802Z ##[section]Finishing: Download secrets: x
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 1
- Comments: 15 (1 by maintainers)
Thanks for the input @jpdias92, really glad to hear that you found a solution!
I’ve given the proxy bypass a try within our environment, however, for us the SSL interception used is technically not a proxy and won’t work as expected.
In the end we added an exception for the resource to get around this issue, in addition to using the PS module: AzureRM.KeyVault for other interactions.