TFS 2017.3 — certificate issues with Git clone command (https)

Pieter Gheysens
Mar 27, 2019 · 2 min read

I only have a few customers left who are still using TFS on-premises and it tends to be true that those customers are facing the most issues. Another reason why migrating to Azure DevOps is the best choice for the future and staying out of the danger zone.

Image for post
Image for post

I discovered some interesting issues in the build process (Get Sources build step) after enabling https-only connections for TFS 2017 Update 3. The build agents were reconfigured to connect to TFS via the https public url.

fatal: unable to access ‘https://<servername>/tfs/<teamproject>/_git/<reponame>/': SSL certificate problem: unable to get local issuer certificate

The TFS environment was set up for https via a self-signed certificate which was also pushed to the Windows Certificate Store (group policy) on the Windows build agent machines and the local developer environments.

This error is caused during the git clone command because the certificate is not verified from the Windows Certificate Store. By default Git uses OpenSSL and loads trusted certificates from a personal store (curl-ca-bundle.crt file). The self-signed certificate is not in the explicit list of certificates trusted by Git.

As from Git for Windows 2.14 it’s possible to configure Git to use Secure Channel instead of OpenSSL which will trust the certificates from the Windows Certificate Store.

git config --global http.sslBackend schannel

The problem with TFS 2017 Update 3 is that the version of the linked (build) agents is 2.122.1 which provides Git tooling 2.12.2 (< 2.14) which does not support the switch to the Secure Channel option.

There are a number of workarounds (#1#2) available to fix the git clone issue, but I recommend to switch to the Secure Channel option which forces you to donwload a newer agent (≥ 2.129.0) from the Azure Pipeline Agents.

Once the new agent is up-and-running, you can switch to the Secure Channel option for Git via the command-line and this should fix the git clone issue on the build agent.

Image for post
Image for post

Hope this helps you to quickly fix this issue in your environment! The same fix can be applied for people having similar issues on their local machine.

Into ALM

Pieter Gheysens

Written by

Visual Studio ALM MVP — Managing Director Xpirit Belgium (2018) — Founder of Techorama (2014) — www.techorama.be — www.xpirit.com

Into ALM

Into ALM

Blogging About Application Lifecycle Management with TFS/VSTS

Pieter Gheysens

Written by

Visual Studio ALM MVP — Managing Director Xpirit Belgium (2018) — Founder of Techorama (2014) — www.techorama.be — www.xpirit.com

Into ALM

Into ALM

Blogging About Application Lifecycle Management with TFS/VSTS

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store