VSTS agent & TFS on premise (with an unofficial certificate, for testing purposes only)

Manuel Riezebosch
Jul 26, 2017 · 2 min read

I did not manage to let the agent work with the TFS generated certificate.

With the current ./start.sh script it is only possible to use PAT as authentication type.

You cannot use PAT as authentication on an insecure connection.

So you need SSL and you need the agent to trust the server certificate. These are the steps when you do not own an official certificate for your Team Foundation Server.

Create a self signed certificate using OpenSSL

choco install openssl.lightopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -days 365 -subj "/CN=$env:COMPUTERNAME"openssl pkcs12 -export -out server.pfx -inkey key.pem -in cert.crt

Source: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

Source: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Import pfx

certutil -f -enterprise -p password -importpfx .\server.pfx

You’ve used a password in the previous step when creating the pfx.

Source: https://stackoverflow.com/a/33404847/129269

Configure IIS to use this certificate

Open Internet Information Services (IIS) Manager

Navigate to your-tfs-server → Sites → Team Foundation Server.

Click through Bindings → https → Edit → Select → your certificate → OK.

Select certificate in IIS

Create agent

docker run -ti --name build-agent microsoft/vsts-agent:ubuntu-16.04-tfs-2017-u1-docker-17.03.0-ce-standard tail -f /dev/null

Or whatever TFS image is currently available.
The tail command is to keep the container running (source: https://stackoverflow.com/a/30209974/129269)

Copy crt to agent

docker cp cert.crt build-agent:/usr/share/ca-certificates
docker exec -ti build-agent bash

Fix dns

My agent had troubles finding the server based on hostname.

curl your-tfs-hostname # could not resolve host
echo your-tfs-ip-address your-tfs-hostname >> /etc/hosts
curl your-tfs-hostname

Update: You can also add your tfs server to the hosts list by including the --add-host your-tfs-hostname:your-tfs-ip option in the docker run command!

Trust certificate on agent

curl https://your-tfs-hostname # server certificate verification failedecho cert.crt /etc/ca-certificates.conf
update-ca-certificates # 1 added, 0 removed; done.
curl https://your-tfs-hostname # success!

Source: https://leehblue.com/add-self-signed-cert-curl/

Set TFS environment variables

export VSTS_TOKEN=your-pat-here
export TFS_URL=https://your-tfs-hostname

You could provide these while creating the agent.

See the docs on how to obtain a pat.

Start the agent

./start.sh

Dockerfile

Maybe you want to create a Dockerfile containing the steps of finding and trusting the server. But on the other hand, maybe you should just buy an official certificate for your (production) servers.

Build something

Read more: https://medium.com/@MRiezebosch/vsts-agent-docker-commands-e252e4cf086b

    Manuel Riezebosch

    Written by

    Tweet, tweet, tweedle

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade