TFS 2017.3 — certificate issues with Git clone command (https)

I only have a few customers left who are still using TFS on-premises and it tends to be true that those customers are facing the most issues. Another reason why migrating to Azure DevOps is the best choice for the future and staying out of the danger zone.

I discovered some interesting issues in the build process (Get Sources build step) after enabling https-only connections for TFS 2017 Update 3. The build agents were reconfigured to connect to TFS via the https public url.

fatal: unable to access ‘https://<servername>/tfs/<teamproject>/_git/<reponame>/': SSL certificate problem: unable to get local issuer certificate

The TFS environment was set up for https via a self-signed certificate which was also pushed to the Windows Certificate Store (group policy) on the Windows build agent machines and the local developer environments.

This error is caused during the git clone command because the certificate is not verified from the Windows Certificate Store. By default Git uses OpenSSL and loads trusted certificates from a personal store (curl-ca-bundle.crt file). The self-signed certificate is not in the explicit list of certificates trusted by Git.

As from Git for Windows 2.14 it’s possible to configure Git to use Secure Channel instead of OpenSSL which will trust the certificates from the Windows Certificate Store.

git config --global http.sslBackend schannel

The problem with TFS 2017 Update 3 is that the version of the linked (build) agents is 2.122.1 which provides Git tooling 2.12.2 (< 2.14) which does not support the switch to the Secure Channel option.

There are a number of workarounds (#1 — #2) available to fix the git clone issue, but I recommend to switch to the Secure Channel option which forces you to donwload a newer agent (≥ 2.129.0) from the Azure Pipeline Agents.

Once the new agent is up-and-running, you can switch to the Secure Channel option for Git via the command-line and this should fix the git clone issue on the build agent.

Hope this helps you to quickly fix this issue in your environment! The same fix can be applied for people having similar issues on their local machine.