Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Azure Pipeline Agents cannot pull Git repos signed with DoD Certificates #4569

Closed
2 of 4 tasks
adamdost-0 opened this issue Dec 12, 2023 · 2 comments
Closed
2 of 4 tasks

[BUG]: Azure Pipeline Agents cannot pull Git repos signed with DoD Certificates #4569

adamdost-0 opened this issue Dec 12, 2023 · 2 comments
Labels
Area: Agent bug stale

Comments

@adamdost-0
Copy link

What happened?

We setup a Self-Hosted Azure Pipeline Agent onto AKS that points to an on-premise Azure DevOps build server that uses a self-signed certificate by the Department of Defense.

We expected it to connect to Azure DevOps Server and later pull down the git repo as part of its source sync. It was able to register as an agent on the server. However when it tries to clone the repository down it fails showing a Problem with the CA.

The Root CA that the ADO Server is using is under the DoD Root CA 3 and DoD SW CA-66. This issue is only present on the Ubuntu 22.04 Agent.

On the Ubuntu 18.04 side we do not experience issues with this workflow.

Versions

Version Azure DevOps Server 2022.1 RC2 (AzureDevOpsServer_20230927.2)

Ubuntu 22.04: v3.227.1
Ubuntu 18.04: v3.227.1

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

Azure DevOps Server (Please specify exact version in the textbox below)

Azure DevOps Server Version (if applicable)

Version Azure DevOps Server 2022.1 RC2 (AzureDevOpsServer_20230927.2)

Operation system

Ubuntu 22.04

Version controll system

Git

Relevant log output

git --config-env=http.extraheader=env_var_http.extraheader fetch --force --tags --prune --prune-tags --progress --no-recurse-submodules origin
fatal: unable to access 'https://<FQDN>/DefaultCollection/<REPO>/_git/<REPO/': Problem with the SSL CA cert (path? access rights?)
@adamdost-0 adamdost-0 added the bug label Dec 12, 2023
@DmitriiBobreshev
Copy link
Contributor

DmitriiBobreshev commented Dec 13, 2023
edited
Loading

Hi @adamdost-msft, thank you for the feedback, are you providing SSL options during the agent configuration?
If you're providing such options please make sure that the agent providing them to git, you could do it by enabling debug mode, in the checkout step you should see details which certificates are using.

Also, since we don't ship the git with a Linux agent, could you specify the git version which you're using on Ubuntu 18 and Ubuntu 22.

@github-actions GitHub Actions
Copy link

This issue has had no activity in 180 days. Please comment if it is not actually stale

@github-actions github-actions bot added the stale label Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Agent bug stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamdost-0 @DmitriiBobreshev