VSTS agent & TFS on premise (with an unofficial certificate, for testing purposes only)

I did not manage to let the agent work with the TFS generated certificate.

With the current ./start.sh script it is only possible to use PAT as authentication type.

You cannot use PAT as authentication on an insecure connection.

So you need SSL and you need the agent to trust the server certificate. These are the steps when you do not own an official certificate for your Team Foundation Server.

Create a self signed certificate using OpenSSL

choco install openssl.light
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -days 365 -subj "/CN=$env:COMPUTERNAME"
openssl pkcs12 -export -out server.pfx -inkey key.pem -in cert.crt

Source: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

Source: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Import pfx

certutil -f -enterprise -p password -importpfx .\server.pfx

You’ve used a password in the previous step when creating the pfx.

Source: https://stackoverflow.com/a/33404847/129269

Configure IIS to use this certificate

Open Internet Information Services (IIS) Manager

Navigate to your-tfs-server → Sites → Team Foundation Server.

Click through Bindings → https → Edit → Select → your certificate → OK.

Select certificate in IIS

Create agent

docker run -ti --name build-agent microsoft/vsts-agent:ubuntu-16.04-tfs-2017-u1-docker-17.03.0-ce-standard tail -f /dev/null

Or whatever TFS image is currently available.
The tail command is to keep the container running (source: https://stackoverflow.com/a/30209974/129269)

Copy crt to agent

docker cp cert.crt build-agent:/usr/share/ca-certificates
docker exec -ti build-agent bash

Fix dns

My agent had troubles finding the server based on hostname.

curl your-tfs-hostname # could not resolve host
echo your-tfs-ip-address your-tfs-hostname >> /etc/hosts
curl your-tfs-hostname

Update: You can also add your tfs server to the hosts list by including the --add-host your-tfs-hostname:your-tfs-ip option in the docker run command!

Trust certificate on agent

curl https://your-tfs-hostname # server certificate verification failed
echo cert.crt /etc/ca-certificates.conf
update-ca-certificates # 1 added, 0 removed; done.
curl https://your-tfs-hostname # success!

Source: https://leehblue.com/add-self-signed-cert-curl/

Set TFS environment variables

export VSTS_TOKEN=your-pat-here
export TFS_URL=https://your-tfs-hostname

You could provide these while creating the agent.

See the docs on how to obtain a pat.

Start the agent



Maybe you want to create a Dockerfile containing the steps of finding and trusting the server. But on the other hand, maybe you should just buy an official certificate for your (production) servers.

Build something

Read more: https://medium.com/@MRiezebosch/vsts-agent-docker-commands-e252e4cf086b

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.