Uploading SSL Certificates
We are trying to set up HTTPS Redirect for our TeamCity On-premises.
We have self-signed certificate that we want to distribute to our Teamcity Agent before activating HTTPS Redirection for All Requests (There is a warning message to ensure all Teamcity Agent has changed to the new HTTPS setting before enabling this, otherwise the Teamcity Agent won't be able to connect to the Teamcity Server).
However, after following the step here - https://www.jetbrains.com/help/teamcity/uploading-ssl-certificates.html, I was expecting the self-signed certificate to be available in this folder - <TeamCity Agent Home>/system/serverTrustedCertificates directory
I wasn't able to see any certificate there after uploading the self-signed certificate from the Portal.
Any idea on what might be the cause? Or Which logging I should check to identify the issue?
Please sign in to leave a comment.
If the user is running the TeamCity server under a non-trusted certificate, you need to place the server certificate into this directory on an agent to establish agent-server connection.
You can manually add certificates to a required agent by placing them into the `<TeamCity Agent Home>` (https://www.jetbrains.com/help/teamcity/agent-home-directory.html)`/conf/trustedCertificates` directory (one file per certificate, certificates in textual form in one of the supported formats mentioned above). Note that this directory is used for storing manually added certificates only; automatically distributed certificates are stored separately (in the `<TeamCity Agent Home>` (https://www.jetbrains.com/help/teamcity/agent-home-directory.html)`/system/serverTrustedCertificates` directory).
For more detailed information, please refer to https://www.jetbrains.com/help/teamcity/uploading-ssl-certificates.html#Delivering+certificates+to+TeamCity+agents.
Hi Tom,
Thanks for replying.
Can you explain more about this - If the user is running the TeamCity server under a non-trusted certificate
We are currently running the Teamcity server under a self-signed certificate (it's trusted under Computer Certificate, but it's not public signed certificate). Does it mean that if we use self-signed certificate, we have to manually copy over the certificate to each of our agent?
My end goal is to be able to have the Teamcity server distribute the certificate to the agent, so I don't have to add the certificate manually to each agent that we have (or any new agent that we want to provision in the future).
Hi JohnSen,
According to the TeamCity documentation - https://www.jetbrains.com/help/teamcity/uploading-ssl-certificates.html#Delivering+certificates+to+TeamCity+agents, it is possible to upload an SSL certificate that TeamCity will consider trusted when establishing connections via HTTPS or SSL protocols. These certificates can be self-signed or signed by a less well-known certificate authority (CA).
In your case, you have uploaded your self-signed certificate to the TeamCity server so that the server itself trusts it when using HTTPS/SSL. Normally, this certificate will be distributed to all TeamCity agents. However, in some cases, it will not be distributed automatically. In such situations, you will need to manually copy the certificate to the agent.
Best Regards,
Tom
Thanks, Tom.
Do you know what are the scenarios when the uploaded certificate cannot be distributed to the Agents?
Also do you know if there is any way we can enforce Teamcity Server to distribute the uploaded certificate to the Teamcity Agents?
Based on my knowledge, for some reason that we’re not aware of.
Unfortunately, but there is no build-in feature to available at the moment. Thanks for your understanding.
If the <TeamCity Agent Home>/system/serverTrustedCertificates directory is empty, you need to add the certificate there.
If you have many agents, you can:
Place the certificate file in a secure shared location (such as an internal HTTP server, S3 bucket...).
Use a script (PowerShell, Bash, Ansible, etc.) to check the system/serverTrustedCertificates directory on each agent:
If no related certificate is found, download it to the agent machine.
Place the certificate in the `<TeamCity Agent Home>` (https://www.jetbrains.com/help/teamcity/agent-home-directory.html)`/system/serverTrustedCertificates` directory folder.
Best Regards,
Tom
Thanks, Tom