Change SSL Cert for Https on TeamCity

Hi, 

i have a problem with changing the “selfSigned” SSL-Cert on my TC-Server.

We have a onPrem installation of TC and also our own ROOT-CA . (CA cert is imported in windows)

Now I have the problem that the ROOT-CA changed and i have to change the certificate of TC as well.

After i have changed the cert all agents are disconnected because they do not trust the new CA. 

The certs are imported in the windows ca store and i cant find another point where i import some ca´s other than installing the TC-agent itself. 

So how can i give all agents the new root-ca-cert without going from agent to agent and add it to a java-keystore ?

 

Hope someone can give me some hints to fix this problem.

0
3 comments
Hi Andre,

You are right; you need to install the server certificate (or your organization's certificate the server's certificate is signed by) into the build agent's JVM as a trusted certificate. It is not a TeamCity-specific procedure and is related to how JVMs handle the self-signed certificates. Please refer to the documentation: https://www.jetbrains.com/help/teamcity/2024.07/using-https-to-access-teamcity-server.html#Configuring+client+JVM+for+trusting+server+certificate

To make the process easier you can connect to the build agent's terminal from the TeamCity interface (agent's page).

Best regards,
Anton
0

Hi Anton,

thx for the answer.

So i have to do it on every agent  ? No way to do it over TC?  And what about this : https://www.jetbrains.com/help/teamcity/uploading-ssl-certificates.html#Adding+trusted+certificates+to+TeamCity+server

? Will this also work for changing the rootca of my OnPrem TC-Server?

But when i changed the certificate and download the new clientsoftware from my TC-Server, the new cert will be included am in right with this ?

 

0
Dear Andre,

Yes, you need to do it for every build agent's JVM. But as I mentioned previously, you can do it from the TeamCity interface by connecting to the build agent's terminal and adding the certificate using it.
No, the downloaded from the TeamCity server build agent's distributive doesn't know anything about the certificate or what JVM it will use, so each completely new installation (ex.: if you use VMs to host your build agents, you can prepare an image that will have the certificate already added) of the build agent will require adding the certificate to the build agent's JVM.

Best regards,
Anton
0

Please sign in to leave a comment.