VSTS agent & TFS on premise (with an unofficial certificate, for testing purposes only)
I did not manage to let the agent work with the TFS generated certificate.
With the current
./start.sh script it is only possible to use PAT as authentication type.
You cannot use PAT as authentication on an insecure connection.
So you need SSL and you need the agent to trust the server certificate. These are the steps when you do not own an official certificate for your Team Foundation Server.
Create a self signed certificate using OpenSSL
choco install openssl.light
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -days 365 -subj "/CN=$env:COMPUTERNAME"
openssl pkcs12 -export -out server.pfx -inkey key.pem -in cert.crt
certutil -f -enterprise -p password -importpfx .\server.pfx
You’ve used a password in the previous step when creating the pfx.
Configure IIS to use this certificate
Internet Information Services (IIS) Manager
Navigate to your-tfs-server → Sites → Team Foundation Server.
Click through Bindings → https → Edit → Select → your certificate → OK.
docker run -ti --name build-agent microsoft/vsts-agent:
ubuntu-16.04-tfs-2017-u1-docker-17.03.0-ce-standardtail -f /dev/null
Copy crt to agent
docker cp cert.crt build-agent:/usr/share/ca-certificates
docker exec -ti build-agent bash
My agent had troubles finding the server based on hostname.
curl your-tfs-hostname # could not resolve host
echo your-tfs-ip-address your-tfs-hostname >> /etc/hosts
Update: You can also add your tfs server to the hosts list by including the
--add-host your-tfs-hostname:your-tfs-ip option in the
docker run command!
Trust certificate on agent
curl https://your-tfs-hostname # server certificate verification failed
echo cert.crt /etc/ca-certificates.conf
update-ca-certificates # 1 added, 0 removed; done.
curl https://your-tfs-hostname # success!
Set TFS environment variables
You could provide these while creating the agent.
See the docs on how to obtain a pat.
Start the agent
Maybe you want to create a Dockerfile containing the steps of finding and trusting the server. But on the other hand, maybe you should just buy an official certificate for your (production) servers.