VSTS agent & TFS on premise (with an unofficial certificate, for testing purposes only)

2 min readJul 26, 2017

I did not manage to let the agent work with the TFS generated certificate.

With the current ./start.sh script it is only possible to use PAT as authentication type.

You cannot use PAT as authentication on an insecure connection.

So you need SSL and you need the agent to trust the server certificate. These are the steps when you do not own an official certificate for your Team Foundation Server.

Create a self signed certificate using OpenSSL

choco install openssl.lightopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -days 365 -subj "/CN=$env:COMPUTERNAME"openssl pkcs12 -export -out server.pfx -inkey key.pem -in cert.crt

Source: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

Source: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Import pfx

certutil -f -enterprise -p password -importpfx .\server.pfx

You’ve used a password in the previous step when creating the pfx.

Source: https://stackoverflow.com/a/33404847/129269

Configure IIS to use this certificate

Open Internet Information Services (IIS) Manager

Navigate to your-tfs-server → Sites → Team Foundation Server.

Click through Bindings → https → Edit → Select → your certificate → OK.

Create agent

docker run -ti --name build-agent microsoft/vsts-agent:ubuntu-16.04-tfs-2017-u1-docker-17.03.0-ce-standard tail -f /dev/null

Or whatever TFS image is currently available.
The tail command is to keep the container running (source: https://stackoverflow.com/a/30209974/129269)

Copy crt to agent

docker cp cert.crt build-agent:/usr/share/ca-certificates
docker exec -ti build-agent bash

Fix dns

My agent had troubles finding the server based on hostname.

curl your-tfs-hostname # could not resolve host
echo your-tfs-ip-address your-tfs-hostname >> /etc/hostscurl your-tfs-hostname

Update: You can also add your tfs server to the hosts list by including the --add-host your-tfs-hostname:your-tfs-ip option in the docker run command!

Trust certificate on agent

curl https://your-tfs-hostname # server certificate verification failedecho cert.crt /etc/ca-certificates.conf
update-ca-certificates # 1 added, 0 removed; done.curl https://your-tfs-hostname # success!

Source: https://leehblue.com/add-self-signed-cert-curl/

Set TFS environment variables

export VSTS_TOKEN=your-pat-here
export TFS_URL=https://your-tfs-hostname

You could provide these while creating the agent.

See the docs on how to obtain a pat.

Start the agent

./start.sh

Dockerfile

Maybe you want to create a Dockerfile containing the steps of finding and trusting the server. But on the other hand, maybe you should just buy an official certificate for your (production) servers.