Self-Signed Certificates with Git and TFS

7/3/2018 by Richard Murphy

I have been using Gitlab and Gitlab CI for a year or so now and have just gotten the hang of the gitlab-ci.yml process and really like it.  A new project is now forcing me to learn CI/CD in Microsoft TFS.  So, first step is to set it up in the lab and start playing around with it.

Microsoft recommends new installations of TFS2018 be done with https as the preferred way of running TFS.  This is great, it follows best practices, protects sensitive information going over the wire and is generally good common sense.  If you are performing an on-premise install of TFS then you will most likely either use a self-signed certificate or a certificate issued by your internal Certificate Authority.  Both of these can be a problem because they are not included in your client certificate bundles by default and will require a little effort to get them included.  Most people are familiar with importing a cert into their browser, and that takes care of browsing to TFS from your browser, but what about git?  Git has it’s own certificate bundle that is separate from the Windows certificate store and requires the new cert be included there in addition to the Windows cert store.  I ran across this issue setting up TFS2018 and build agents in the lab and it took a little while to figure out why my git commands were complaining about ‘self-signed’ certs.

I did the quick TFS installation and let the install wizard create the IIS site, setup https access and create the cert.  After the install finished, I was able to browse to TFS, right click on the “Not secure” warning, choose ‘certificate’,  and export the cert via the browser, then import it into my cert store.  Easy peasy.

I next setup a build agent on another Windows VM by installing Visual Studio 2017 and the agent software and connected it up to my TFS server and everyone was happy.  I was ready to run my first build.  I click the ‘queue build’ button and anxiously awaited a successful build.  But it was not meant to be.  Git complained about the self-signed cert.  Oh yeah, I forgot about that.  A quick Google search brought up several folks with how-to instructions on fixing this issue.  The general consensus was that you needed to install your TFS certificate into the Git ca-bundle.  Ok, no worries, I can do that.  Oh, and yeah folks also reminded me that Visual Studio installs its own Git into its folder structure, so you can’t just go install Git for Windows and change it there.  First step was to search for git.exe and find out where VS put it.

C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs

Open up Atom and open the ca-bundle file as well as the base64 cert file that I exported from TFS via the browser.  Copy the cert from the exported file to the end of the ca-bundle file.

Ok, great.  Now I was ready to try my build again, certain that it would be successful.  Click ‘Queue build’, refresh my coffee, and come back to see:

Hmm.  I was sure I did that right.  Just in case… open up the ca-bundle file and pasted in the new cert again just to be sure.  No dice.  Hmmm.  Ask Mr. Google again… but no revelations.  Maybe there is another location for the ca-bundle?  Search for git.exe in explorer again, and interesting… there is one under the Agent folder.  Remember when I installed the build agent and connected it to TFS?  It also installed git and had its own ca-bundle file.  Maybe the build was using this one and not the one under Visual Studio.  (If it hadn’t been the first time ever doing this I might have known that).  Repeat process for ca-bundle under the agent folder.

Awesome!  It works!

So, if you have encountered the same issue, hopefully this helps.  Now on to figure out how to setup continuous deployments in TFS.