CODEWITHSUNDEEP
dockerapirestazure-devops
Weltgeist
Weltgeist

Reputation: 167

Azure Devops Self hosted Agent Docker Container Connectivity Issues

I already use my computer as a self-hosted agent connected to a azure pipeline workflow. I'm trying to now run a self-hosted agent in docker for later use on a company own windows 2019 server. But I'm having connectivity issues.

I'm doing exactly this: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops But, when I run this :

docker build -t dockeragent:latest .
docker run -e AZP_URL="https://[CompanyUrl].com/[Collection]" -e AZP_TOKEN="[PAT]" -e AZP_AGENT_NAME="dockeragent" -e AZP_POOL="[Pool]" dockeragent:latest

I expect docker container agent to run start.ps1 script, go to power shell, configure the agent and see a big CLI drawing of Azure Pipelines.

But, what I get is this error.

ERROR:

1. Determining matching Azure Pipelines agent...
Invoke-RestMethod : The underlying connection was closed: Could not establish
trust relationship for the SSL/TLS secure channel.
At C:\azp\start.ps1:35 char:12
+ $package = Invoke-RestMethod -Headers @{Authorization=("Basic $base64 ...

I know that these specific lines fail. It's a failed REST API call.

SNIPPET:

Write-Host "1. Determining matching Azure Pipelines agent..." -ForegroundColor Cyan

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$(Get-Content ${Env:AZP_TOKEN_FILE})"))
$package = Invoke-RestMethod -Headers @{Authorization=("Basic $base64AuthInfo")} "$(${Env:AZP_URL})/_apis/distributedtask/packages/agent?platform=win-x64&`$top=1"
$packageUrl = $package[0].Value.downloadUrl

Write-Host $packageUrl

But the thing I don't understand, is if I just copy paste the URL in my web browser

https://[CompanyUrl].com/[Collection]/_apis/distributedtask/packages/agent?platform=win-x64&`$top=1

It works without a hitch and I see my JSON data from the Get operation. It just doesn't work from inside the container. I'm lost.

Any Hints?

What I tried:

  1. I tried a popular fix I saw online. I added this line in my start.ps1 script.But I saw no visible change, I got the same problem.
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
  1. I tried using a less secure http URL we have to go on our Azure Devops Platform. It's a legacy URL.

http://[TFS Extension].[Server].com/[Collection]/_apis/distributedtask/packages/agent?platform=win-x64&`$top=1

It actually worked, I didn't get the error above, so now I'm just confused. I would like it to work with the more secure https link.

Upvotes: 0

Views: 1569

Answers (2)

cakruege
cakruege

Reputation: 1

Add your company root CA certificate (public key) to the dockerimage

Upvotes: 0

Levi Lu-MSFT
Levi Lu-MSFT

Reputation: 30313

Please have try adding -SkipCertificateCheck to the Invoke-RestMethod command.

Invoke-RestMethod "url" -SkipCertificateCheck

Or you can try adding below lines to the strart.ps1 file.

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

See this thread for more information.

Upvotes: 1

Related Questions