Team City using SSL to VCS using Internal CA

I've set up a new Team City server against TFS for the VCS. Howver, it's publicly hosted so I'd like to use HTTPS using a certificate from an internal CA.    How do I st the CA chain so that Team City validates the SSL certificate properly?

ERROR - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
System.Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId)
at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId)
at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache()
at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct)
at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId)
at Microsoft.TeamFoundation.Framework.Client.PreFrameworkServerDataProvider.FindServiceLocation(String serviceType, String toolId)
at Microsoft.TeamFoundation.Framework.Client.PreFrameworkServerDataProvider.LocationForCurrentConnection(String serviceType, Guid serviceIdentifier)
at Microsoft.TeamFoundation.Client.TfsConnection.EnsureProviderConnected()
at Microsoft.TeamFoundation.Client.TfsConnection.<Authenticate>b__1()
at Microsoft.TeamFoundation.Client.TfsConnection.UseCredentialsProviderOnFailure(Action action)
at Microsoft.TeamFoundation.Client.TfsConnection.Authenticate()
at Microsoft.TeamFoundation.Client.TeamFoundationServer.Authenticate()
at JetBrains.TeamCity.Tfs.Command.Do() in c:\Agent\work\7b38d9d0edb21a5b\TfsNativeAccessor\src\Command.cs:line 25
at JetBrains.TeamCity.Tfs.Program.Main(String[] args) in c:\Agent\work\7b38d9d0edb21a5b\TfsNativeAccessor\src\Program.cs:line 118


  I've set up a new Team City server against TFS for the VCS. Howver, it's publicly hosted so I'd like to use HTTPS using a certificate from an internal CA.

3 comments
Comment actions Permalink

Hi

You need to permanently accept this certificate.
Make Team Explorer work with this repository, and TeamCity will work too.

Michael

0
Comment actions Permalink

I'm not sure I understand but on the TC Host/Build Agent I can:

  • connect to the TFS web service over SSL using the relevant account from IE
  • connect to the TFS over SSL using the relevant account from Visual Studio 2010/Team Explorer


I think it's something like I need to convince Java (I'm not a Java guy) that my CA certificate is trusted.
I've run  keytool but I've just been hacking with examples around the web.

Does anyone have an example of importing a CA certificate into the JRE that Team City uses?
Or am I just on completely the wrong track?

0
Comment actions Permalink

I was running TC using the Network Service account which I guess doesn't store certificates.
I created a local user to run TC, re-installed the CA certificate into the Windows Local Machine Trusted Certificate Authority store and everything works.

0

Please sign in to leave a comment.