A last week I wrote about fixing some problems between Git and Team Foundation Server 2018 when TFS is configured to use a self-signed SSL certificate for HTTPS. Well, after I got that part working, I found a new problem while trying to configure a TFS build agent that would talk to my self-signed SSL certificate TFS machine.
When you are installing the TFS build agent on Windows, there are two steps: 1) download and extract the build agent zip and 2) run config.cmd to configure the agent. (Want a walk-through for installing the TFS build agent? Check out my TFS install guide.) With the self-signed SSL cert TFS, I kept getting an error on the config.cmd portion of the agent install that simply said "an error occurred while sending the request_"._
C:\agent>config.cmd
>> Connect:
Enter server URL > https://demo18-tfs
Enter authentication type (press enter for Integrated) >
Connecting to server ...
An error occurred while sending the request.
Failed to connect. Try again or ctrl-c to quit
Enter server URL >
The solution was simple and all that needed to happen was to add the self-signed certificate to the trusted root certificate store. After that the installation runs as expected. Basically, the TFS agent configuration script was having the same problem with that self-signed SSL certificate as Git was.
The instructions for how to get the certificates and install them, check out my blog post on fixing Git and self-signed SSL certificates. The script that fixes this problem is 03-import-iis-self-signed-cert-from-file.ps1. After you've run 03-import-iis-self-signed-cert-from-file.ps1_,_ you can re-run config.cmd to configure the TFS build agent and it should work.
HINT: Definitely run the build agent service as a user rather than Network Service because you're going to need to fix a few things that will require you to log in as the build user account.
The Build Agent Service Won't Run
Ok. So you've got the agent service configured. You start the agent service and if you look at the list of Windows Services (services.msc), the service is running. But if you go to the Agent Pool in TFS, that agent isn't running. That's not good.
If you look at the logs (c:\agent\_diag\Agent_*.log), you see an error that says
[2017-12-19 20:55:26Z ERR VisualStudioServices] GET request to https://demo18-tfs/_apis/connectionData?connectOptions=1&lastChangeId=-1&lastChangeId64=-1 failed. System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A security error occurred at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Net.Http.WinHttpHandler.
Guess what? Same problem again. The self-signed certificate isn't trusted.
Log in to your build machine as your build agent user account and then run 03-import-iis-self-signed-cert-from-file.ps1. This will add the TFS self-signed root cert to the trusted root certificates for the build user's account.
Restart the build agent service. If you go to the agent pools, the build agent should be running.
Another Piece of Advice
Git is probably broken right now for the build agent user account. If you want Git to work with your new build server, you're going to need to configure your build agent to run as an actual user account (not Network Service) because you're going to need to fix the Git certificate problems. After you've installed the build agent, you'll almost definitely need to log in as the build user and then run 03-import-iis-self-signed-cert-from-file.ps1 and 04-update-gitconfig-and-add-cert-to-ca-bundle.ps1 in order to make Git happy. In order to make 04-update-gitconfig-and-add-cert-to-ca-bundle.ps1 work, you'll probably need to change the cert path to be "C:\agent\externals\git\mingw64\ssl\certs\ca-bundle.crt".
I hope this helps.
-Ben
-- Build agent configuration got you down? Want some help converting your XAML builds to the latest build format that works with VSTS and TFS2018? Looking for some help with your DevOps process? We can help. Drop us a line at info@benday.com.