VSTFS build error - SSL certificate problem: unable to get local issuer certificate

Question

I am new to CI. I have a build defined. I am getting the following error when i queue the build:

2018-10-08T09:54:50.0136696Z ##[command]git config --get-all http.https://testurl.extraheader
2018-10-08T09:54:50.1425808Z ##[command]git config --get-all http.proxy
2018-10-08T09:54:50.2763750Z ##[command]git -c http.extraheader="AUTHORIZATION: bearer ********" fetch --tags --prune --progress --no-recurse-submodules origin
2018-10-08T09:54:51.1465256Z fatal: unable to access 'https://testdomain/tfs/Project/_git/Project.Test/': SSL certificate problem: unable to get local issuer certificate
2018-10-08T09:54:51.1719172Z ##[error]Git fetch failed with exit code: 128

Answer 1

This error occurs when a self-signed certificate cannot be verified.

Here is the same issue discussed on GitHub : https://github.com/Microsoft/azure-pipelines-agent/issues/688

You can try below workarounds:

• Add Enterprise CA certificate to git config –global http.sslCAInfo.

• Tell Git where to find the CA bundle by running:

  git config --system http.sslCAPath /absolute/path/to/git/certificates

• Modify the ca-bundle.crt file to include the domain's root cert which found in the <agent install directory>\externals\git\mingw64\ssl\certs folder.

• Turn off sslVerify with:

  git config --system http."https://our.internal:port/".sslVerify false

• Try following the tutorial which mentioned in below blog: https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/

• Try to deploy an new agent using the release 2.129.0 agent which contains git SChannel support.

  To enable git to use SChannel, you need to pass --gituseschannel during agent config. ex:

  ./config.cmd --gituseschannel

You can also reference the solutions mentioned in this thread: SSL certificate problem: Unable to get local issuer certificate