TFS Plugin - Unable to get local issue certificate exception when creating release notes

(Ken) #1

TFS Version: 2018 update 3
Build Agent Version: 2.147.1
Octopus Version: 2018.9.17


I’m getting the following exception with the error code “UNABLE_TO_GET_ISSUER_CERT_LOCALLY” using the TFS/Azure DevOps extension when running the “Create Octopus Release” task. The release still gets created, but the release notes do not contain the associated work item notes because of the TLS error.

We have an Octopus server on-prem with a company self-signed cert. The TFS build agent is also configured to use schannel for git.

2019-03-11T16:32:16.4079246Z ##[section]Starting: Create and Deploy Package to Development Environment
2019-03-11T16:32:16.4085606Z ==============================================================================
2019-03-11T16:32:16.4085779Z Task         : Create Octopus Release
2019-03-11T16:32:16.4085931Z Description  : Create a Release in Octopus Deploy
2019-03-11T16:32:16.4086050Z Version      : 3.0.222
2019-03-11T16:32:16.4086177Z Author       : Octopus Deploy
2019-03-11T16:32:16.4086567Z Help         : Version: 3.0.222. [More Information](
2019-03-11T16:32:16.4086723Z ==============================================================================
2019-03-11T16:32:17.5489695Z SystemVssConnection exists true
2019-03-11T16:32:17.5526374Z 40dd17d8-b9c0-4932-a9c3-9f120a3bd797 exists true
2019-03-11T16:32:17.5657454Z Environment = TfsGit
2019-03-11T16:32:17.5657897Z Comments = true, WorkItems = true
2019-03-11T16:32:17.6517444Z An exception was thrown while building the release notes.
2019-03-11T16:32:17.6554208Z { Error: unable to get local issuer certificate
2019-03-11T16:32:17.6554422Z     at Error (native)
2019-03-11T16:32:17.6554549Z     at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
2019-03-11T16:32:17.6554808Z     at emitNone (events.js:86:13)
2019-03-11T16:32:17.6555629Z     at TLSSocket.emit (events.js:185:7)
2019-03-11T16:32:17.6555777Z     at TLSSocket._finishInit (_tls_wrap.js:610:8)
2019-03-11T16:32:17.6556023Z     at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }
2019-03-11T16:32:17.6556245Z See for more details.
2019-03-11T16:32:17.6556438Z The release notes will be empty.

Any help is appreciated!


(Shannon Lewis) #3

Hi Ken,

Thanks for getting in touch. I did some digging and it looks like there may be a way we could disable the SSL errors in the calls back to TFS, but this really doesn’t feel like a great idea.

This is a bit out of my area of expertise, but I suspect the root cause of the issue is that the build agent isn’t configured to trust the issuer of the certificate being used by TFS. Could you try installing the certificate on the agent and/or configuring it to trust the certificate authority from the self signed certificate?