Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: SSL errors on MacOS self-hosted agent behind a proxy #5164

Open
1 of 4 tasks
sphanley opened this issue Mar 31, 2025 · 0 comments
Open
1 of 4 tasks

[BUG]: SSL errors on MacOS self-hosted agent behind a proxy #5164

sphanley opened this issue Mar 31, 2025 · 0 comments
Labels
Area: Agent bug triage

Comments

@sphanley
Copy link

sphanley commented Mar 31, 2025
edited
Loading

What happened?

I'm trying to install pipeline agent 4.254.0 on a self-hosted machine running MacOS Sequoia 15.2 behind a proxy server. However, I'm having SSL issues when trying to register the agent. I have added my proxy's root CA cert to both the MacOS keychain and to my OpenSSL trust store, but my agent fails to register entirely unless I set the SSL_CERT_FILE environment variable with the path to my root cert. With SSL_CERT_FILE, the agent registers successfully, but still fails with the following output:

  ___                      ______ _            _ _
 / _ \                     | ___ (_)          | (_)
/ /_\ \_____   _ _ __ ___  | |_/ /_ _ __   ___| |_ _ __   ___  ___
|  _  |_  / | | | '__/ _ \ |  __/| | '_ \ / _ \ | | '_ \ / _ \/ __|
| | | |/ /| |_| | | |  __/ | |   | | |_) |  __/ | | | | |  __/\__ \
\_| |_/___|\__,_|_|  \___| \_|   |_| .__/ \___|_|_|_| |_|\___||___/
                                   | |
        agent v4.254.0             |_|          (commit c5c9b6f)


>> End User License Agreements:

Building sources from a TFVC repository requires accepting the Team Explorer Everywhere End User License Agreement. This step is not required for building sources from Git repositories.

A copy of the Team Explorer Everywhere license agreement can be found at:
  /Applications/runner/license.html


>> Connect:

Connecting to server ...

>> Register Agent:

Scanning for tool capabilities.
Connecting to the server.
Successfully added the agent
Testing agent connection.
Error reported in diagnostic logs. Please examine the log for more details.
    - /Applications/runner/_diag/Agent_20250331-152133-utc.log

I've attached what seems to be the relevant log in the logs section below.

There's two things I suspect could be causal: first and foremost, #5068. This PR seems to have added the server validation check which is failing downstream of the agent validation, and as was alluded to with concern here, this check does not seem to take custom root certs into account, even if they're provided using the --sslcacert flag when configuring the agent. I'm also suspicious that this communication could be related, which indicates that dotnet versions prior to 6.0.34 and 8.0.10 have issues with loading PEM certificates on MacOS Sequoia– unless I'm misunderstanding, it appears that this project is still targeting 6.0.32 and 8.0.8. Even if it's not the cause of this specific issue, it seems like ideally the agent would target these versions or newer for maximum Seqioia compatibility.

Versions

agent v4.254.0, MacOS 15.2

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

No response

Version controll system

No response

Relevant log output

[2025-03-31 15:21:39Z ERR  VisualStudioServices] GET request to https://dev.azure.com/{organization redacted}/_apis/connectionData failed. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
   at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Microsoft.VisualStudio.Services.OAuth.VssOAuthTokenHttpClient.GetTokenAsync(VssOAuthGrant grant, VssOAuthClientCredential credential, VssOAuthTokenParameters tokenParameters, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.OAuth.VssOAuthTokenProvider.OnGetTokenAsync(IssuedToken failedToken, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Common.IssuedTokenProvider.GetTokenOperation.GetTokenAsync(VssTraceActivity traceActivity)
   at Microsoft.VisualStudio.Services.Common.IssuedTokenProvider.GetTokenAsync(IssuedToken failedToken, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Common.VssHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
[2025-03-31 15:21:39Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2025-03-31 15:21:39Z ERR  Agent] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
   at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.GetConnectionDataAsync(ConnectOptions connectOptions, Int64 lastChangeId, CancellationToken cancellationToken, Object userState)
   at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.GetConnectionDataAsync(ConnectOptions connectOptions, Int32 lastChangeId, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.ConnectAsync(ConnectOptions connectOptions, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Agent.AgentServer.EstablishVssConnection(Uri serverUrl, VssCredentials credentials, TimeSpan timeout) in /Users/runner/work/1/s/src/Microsoft.VisualStudio.Services.Agent/AgentServer.cs:line 216
   at Microsoft.VisualStudio.Services.Agent.AgentServer.ConnectAsync(Uri serverUrl, VssCredentials credentials) in /Users/runner/work/1/s/src/Microsoft.VisualStudio.Services.Agent/AgentServer.cs:line 78
   at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.ConfigureAsync(CommandSettings command) in /Users/runner/work/1/s/src/Agent.Listener/Configuration/ConfigurationManager.cs:line 328
   at Microsoft.VisualStudio.Services.Agent.Listener.Agent.ExecuteCommand(CommandSettings command) in /Users/runner/work/1/s/src/Agent.Listener/Agent.cs:line 104
[2025-03-31 15:21:39Z ERR  Terminal] WRITE ERROR: The SSL connection could not be established, see inner exception.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Agent bug triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sphanley