Connect Teamcity to Hub with IIS proxy

Permanently deleted user

Created December 30, 2016 14:52

I am currently facing some difficulties connecting my Hub with TeamCity.

My setup is as follows:

IIS is used as the proxy with a valid certificate that has been issued by let's encrypt
The certificate is valid for all subdomain, which are present as SAN in the certificate
The certificate is installed as a server certificate within IIS
TeamCity 10.0.4 (build 42538) is installed and running on port 8084
In ISS there is a side configured to resolve ci.xyanid.de and maps it to localhost:8084, so all it can be accessed via this domain from outside
TeamCity is adjusted to use this proxy (via editing the server.xml and providing proxyName=ci.xyanid.de, proxyPort=443, scheme=https and secure=true)
Hub 2.5.456 is installed and running on port 8080
In ISS there is a side configured to resolve hub.xyanid.de and maps it to localhost:8080, so all it can be accessed via this domain from outside
Hub has been adjusted to use the proxy (via executing the hub.bat and providing the required parameters)
The Hub Plugin on TeamCity is installed

I can access the Hub and TeamCity just fine. The Hub also works with the installed YouTrack and Upsource which are also configured for the IIS proxy and are accessed via https. The problem is however when I want to register the TeamCity service in my Hub, I get an error when I enter the URL of the Hub:

https://hub.xyanid.de/hub.

The error is:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Now I already though that it might be because the Root certificate of the certificate chain (DST Root CA X3 -> Let's Encrypt -> Xyanid.de) is not present in the keystore of the used JDK. So I went ahead and installed the root certificate in the keystore as well and then restarted the TeamCity service but without success. I still get the same error.

Any suggestions on how to resolve the error?

I already saw that there is a similar issue with Nginx:

https://teamcity-support.jetbrains.com/hc/en-us/community/posts/205451030-Connect-Teamcity-to-HUB-with-reverse-proxy-in-between?input_string=Connect%20Teamcity%20to%20Hub%20with%20IIS%20proxy

But the solution does not work for me since the certificate is already present in the IIS. Do I have to also configure the keyStore of the TeamCity server as well?

1 comment

Permanently deleted user

Created December 30, 2016 22:37

Okay I figured it out, it was the missing Root CA after all. But I made a huge mistake because Teamcity comes with its own java runtime environment ofc. So I had to install the root ca in the keystore of teamcity, after that it worked and I could use the https url of the hub.

Please sign in to leave a comment.