I am using OctoPack and trying to get it to publish to our Octopus Server from VSTS. However, as we are using a self signed https cert for Octo server, VSTS fails, reporting SSL/TLS error.
I’ve tried adding /p:AllowUntrustedCertificate=True switch, but this appears to only be used by msbuild, not octopack.
As a workaround, I’ve tried publishing to a nuget v2 feed which is on VSTS (as it has a valid cert). However, this fails with a 401 error.
Is there any way to get OctoPack to access untrusted certificates?
Hi Emmanuel,
Thank you for reaching out. The 401 error could mean incorrect credentials, though I’d love to dig a bit deeper in to it. Could you please send me your Octopus Server logs (located in C:\Octopus\Logs in standard installations) and your VSTS Build logs? That will help to narrow down what could be giving you this error.
Kind regards,
Kenny
Hi Kenny,
I’m only getting the 401 error when I set /p:OctoPackPublishPackageToHttp to the address of a different package feed (i.e. Not the Octopus one), which is hosted on Visual Studio Online. As such, there are no entries on the Octopus Server Logs, as we’re not publishing to the Octopus package.
This is a separate error to the SSL/TLS error we get when we set /p:OctoPackPublishPackageToHttp to the Octopus hosted package feed. Our Octopus Server has been configured with a self signed certificate. If I add the certificate to our trusted store, we can publish to it.
But when we run from Visual Studio Online, we cannot publish to the Octopus package feed, because its certificate is not trusted.
Hi Emmanuel,
Would you mind sending me the full SSL/TLS errors you’re seeing? I’m hoping that can help us assess the situation a bit better.
Though I’m not sure of a way to get the VSTS cloud build agent to trust a self-signed certificate, and not even sure that you can.
The options I can see at the moment are:
- Use an on-premises build agent and install the certificate into the local store
- Use the NuGet feed inside VSTS and try to add permissions to the account running the build
I hope this helps!
Kenny
Hi Kenny,
Calling octopack from msbuild this way:
msbuild XXXXXX.sln /p:Configuration=Release /p:Platform=“Any CPU” /p:AllowUntrustedCertificate=True /p:RunOctoPack=true /p:OctoPackPublishPackageToHttp=https://XXXXXX.australiaeast.cloudapp.azure.com/nuget/packages /p:OctoPackPublishApiKey=API-ZXXXXXXXXXXXXXXXXXXXXXXXX
Results in this error (for each package):
“C:\Users\ebellas\Source\Repos\XXXXXXXXX\packages\OctoPack.3.4.1\tools\NuGet.exe” push “C:\Users\ebellas\Source\Repos\XXXXXXXXX\XXXXXXXXX\obj\octopacked\XXXXXXXXX.1.0.0.17359.nupkg” API-ZXXXXXXXXXXXXXXXXXXXXXXXX -Source https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages
Pushing XXXXXXXXX.1.0.0.17359.nupkg to ‘https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages’…
PUT https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages/
An error was encountered when fetching ‘PUT https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages/’. The request will now be retried.
An error occurred while sending the request.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
PUT https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages/
An error was encountered when fetching ‘PUT https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages/’. The request will now be retried.
An error occurred while sending the request.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
PUT https://XXXXXXXXX.australiaeast.cloudapp.azure.com/nuget/packages/
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Hi Emmanuel,
Thanks for the additional information. Your Octopus server is secured with your self-signed certificate, but VSTS doesn’t look like it will trust it. The only way to get the build agent to trust the certificate is to install your certificate on your local machine. However, if your build agent is hosted in the cloud, there’s no way to do that.
It looks like the way to go is to follow one of those two options: use an on-premises build agent and install your certificate to the local store, or use the NuGet feed inside VSTS and try to add permissions to the account running the build.
Sorry it’s not better news!
Kenny