Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] vsts-cli tool does not work with (onprem) Azure DevOps Server 2019 SP1.1; *self-signed* certificate #323

Closed
pprivately opened this issue Apr 9, 2020 · 1 comment
Closed

[Bug] vsts-cli tool does not work with (onprem) Azure DevOps Server 2019 SP1.1; *self-signed* certificate #323

pprivately opened this issue Apr 9, 2020 · 1 comment

Comments

@pprivately
Copy link

pprivately commented Apr 9, 2020
edited

General

We are running latest Azure DevOps Server 2019 SP1.1 utlizing latest Microsoft SQL Server 2019 (waw-tfs01 host running latest Windows Server 2019).
During software installation we have chosen option to generate self-signed certificate for Azure DevOps Server 2019 SP1.1 services and redirect HTTP traffic to HTTPS.
Everything went smoothly, we can easily use Azure DevOps Server services from HTTPS browser on client PC (Firefox in this case). Of course info about self-signed certificate appeared and we trusted cert by adding it as permanent exception on client PC (latest Windows 10 Enterprise 1909 with available security fixes, build 18363.752).

vsts-cli installation

On same client PC we have installed latest version of vsts-cli tool using chocolatey (choco install vsts-cli). It gave us preciesly:

d:\Java\projects\javafx-spring-boot-gradle>vsts -v
vsts-cli (0.1.4)

knack (0.5.1)
vsts (0.1.20)
vsts-cli-admin (0.1.4)
vsts-cli-admin-common (0.1.4)
vsts-cli-build (0.1.4)
vsts-cli-build-common (0.1.4)
vsts-cli-code (0.1.4)
vsts-cli-code-common (0.1.4)
vsts-cli-common (0.1.4)
vsts-cli-package (0.1.4)
vsts-cli-package-common (0.1.4)
vsts-cli-release (0.1.4)
vsts-cli-release-common (0.1.4)
vsts-cli-team (0.1.4)
vsts-cli-team-common (0.1.4)
vsts-cli-work (0.1.4)
vsts-cli-work-common (0.1.4)

Python (Windows) 3.7.0 (v3.7.0:1bf9cc5093, Jun 27 2018, 04:06:47) [MSC v.1914 32 bit (Intel)]

Python location: C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\python.exe

Legal docs and information: https://aka.ms/vsts-cli-eula

waw-tfs01 certificate extraction

We have extracted certificate from waw-tfs01 server using following Powershell cmdlets:

PS C:\>  Get-ChildItem Cert:\CurrentUser\Root | where { $_.Subject -imatch 'ourdomain\.com' } | Format-List -Property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\Root\F98A596D13D66F6C4977A4D4D782F4212D11479A
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\Root
PSChildName              : F98A596D13D66F6C4977A4D4D782F4212D11479A
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Uwierzytelnienie serwera (1.3.6.1.5.5.7.3.1)}
DnsNameList              : {waw-tfs01.ourdomain.com}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 28.07.3019 16:05:48
NotBefore                : 26.03.2020 15:05:48
HasPrivateKey            : True
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 0...}
SerialNumber             : 664991E6A41936B747919083911A4528
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : F98A596D13D66F6C4977A4D4D782F4212D11479A
Version                  : 3
Handle                   : 2271468998208
Issuer                   : CN=waw-tfs01.ourdomain.com
Subject                  : CN=waw-tfs01.ourdomain.com

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\Root\37D95AF3FDB3F5620AA54FD448F549AA87DE8AA7
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\Root
PSChildName              : 37D95AF3FDB3F5620AA54FD448F549AA87DE8AA7
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Uwierzytelnienie serwera (1.3.6.1.5.5.7.3.1), Uwierzytelnienie klienta (1.3.6.1.5.5.7.3.2)}
DnsNameList              : {waw-tfs01.ourdomain.com, waw-tfs01}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName             : TFS Self-Signed SSL (waw-tfs01.ourdomain.com,waw-tfs01)
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 25.02.2027 08:26:53
NotBefore                : 24.02.2020 08:26:53
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 202...}
SerialNumber             : 236F3E47F3EDEEB048EEEF9E222B98DC
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
**Thumbprint               : 37D95AF3FDB3F5620AA54FD448F549AA87DE8AA7**
Version                  : 3
Handle                   : 2271468998592
Issuer                   : CN=waw-tfs01.ourdomain.com, OU=Created by Azure DevOps Server
Subject                  : CN=waw-tfs01.ourdomain.com, OU=Created by Azure DevOps Server

Powershell on waw-tfs01 (export cert as X.509 BASE64 encoded):

$cert = Get-Item -Path cert:\CurrentUser\Root\37D95AF3FDB3F5620AA54FD448F549AA87DE8AA7
$certFile = 'C:\exported.crt'
$content = @(
    '-----BEGIN CERTIFICATE-----'
    [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
    '-----END CERTIFICATE-----'
)
$content | Out-File -FilePath $certFile -Encoding ascii

Cert looked fine:

PS C:\> cat C:\exported.crt
-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgIQI28+R/Pt7rBI7u+eIiuY3DANBgkqhkiG9w0BAQsFADBHMScwJQYDVQQL
DB5DcmVhdGVkIGJ5IEF6dXJlIERldk9wcyBTZXJ2ZXIxHDAaBgNVBAMME3dhdy10ZnMwMS50MjRj
...
yIzXSCtvq9hUUTlF2C1sAIHCNZbrDnWmj4Y+irE1+qutqD5EQMFcoG316yYbGrfbBsp3PZLkD922
ggHQv1qgV/CKmEgTWuZgqaYZNAh6XKYP01/1ETU1GOcRDovEVfk+uVzDLs32LLhaO1Iujd141RTV
7mDlWSo=
-----END CERTIFICATE-----

Client PC setup

We have taken it to client PC and executed few commands.

PS C:\> mkdir "%HOMEDRIVE%%HOMEPATH%\.requests_ca_bundle" && notepad "%HOMEDRIVE%%HOMEPATH%\.requests_ca_bundle\waw-tfs01.crt"
<pasted cert content>
PS C:\> SETX REQUESTS_CA_BUNDLE "%HOMEDRIVE%%HOMEPATH%\.requests_ca_bundle\waw-tfs01.crt"

We have created valid token in Azure DevOps Server 2019 and tried to use it with vsts.

d:\Java\projects\javafx-spring-boot-gradle>vsts login -i https://waw-l01.ourdomain.com --token spevxzog3m6h...token...hztpa7wzaczxa --debug
Command arguments: ['login', '-i', 'https://waw-l01.ourdomain.com', '--token', 'spevxzog3m6h...token...hztpa7wzaczxa', '--debug']
Event: Cli.PreExecute []
Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x037DCF60>, <function OutputProducer.on_global_arguments at 0x03600C48>, <function CLIQuery.on_global_arguments at 0x0372D618>]
Event: CommandInvoker.OnPreCommandTableCreate []
Event: CommandLoader.OnLoadCommandTable []
Event: CommandLoader.OnLoadArguments []
Event: CommandInvoker.OnPostCommandTableCreate []
Event: CommandInvoker.OnCommandTableLoaded []
Event: CommandInvoker.OnPreParseArgs []
Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x03600C90>, <function CLIQuery.handle_query_parameter at 0x0372D660>, <function VstsCLI.post_parse_args at 0x03ED1660>]
Creating connection with personal access token.
msrest.universal_http.requests : Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
msrest.universal_http.requests : Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
msrest.universal_http.requests : Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
msrest.universal_http.requests : Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
vsts._file_cache : Cache file does not exist: C:\Users\Pawel.EBSOFT\.vsts\python-sdk\cache\options.json
vsts.vss_client : File cache miss for options on: https://waw-l01.ourdomain.com
vsts.vss_client : OPTIONS https://waw-l01.ourdomain.com/_apis
vsts.vss_client : Request content: None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): waw-l01.ourdomain.com:443
urllib3.util.retry : Incremented Retry for (url='/_apis'): Retry(total=2, connect=3, read=3, redirect=None, status=None)
urllib3.connectionpool : Retrying (Retry(total=2, connect=3, read=3, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)'))': /_apis
urllib3.connectionpool : Starting new HTTPS connection (2): waw-l01.ourdomain.com:443
urllib3.util.retry : Incremented Retry for (url='/_apis'): Retry(total=1, connect=3, read=3, redirect=None, status=None)
urllib3.connectionpool : Retrying (Retry(total=1, connect=3, read=3, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)'))': /_apis
urllib3.connectionpool : Starting new HTTPS connection (3): waw-l01.ourdomain.com:443
urllib3.util.retry : Incremented Retry for (url='/_apis'): Retry(total=0, connect=3, read=3, redirect=None, status=None)
urllib3.connectionpool : Retrying (Retry(total=0, connect=3, read=3, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)'))': /_apis
urllib3.connectionpool : Starting new HTTPS connection (4): waw-l01.ourdomain.com:443
msrest.exceptions : Error occurred in request., SSLError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))
Error occurred in request., SSLError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connection.py", line 344, in connect
    ssl_context=context)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\util\ssl_.py", line 344, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\ssl.py", line 412, in wrap_socket
    session=session
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\ssl.py", line 850, in _create
    self.do_handshake()
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
**ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)**

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\adapters.py", line 449, in send
    timeout=timeout
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 667, in urlopen
    **response_kw)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 667, in urlopen
    **response_kw)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 667, in urlopen
    **response_kw)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\util\retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 137, in send
    **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\cli\team\common\credentials.py", line 42, in credential_set
    location_client.get_connection_data()
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\location\v4_1\location_client.py", line 46, in get_connection_data
    query_parameters=query_parameters)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 72, in _send
    query_parameters=query_parameters)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 111, in _create_request_message
    location = self._get_resource_location(location_id)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 141, in _get_resource_location
    VssClient._locations_cache[self.config.base_url] = self._get_resource_locations(all_host_types=False)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 177, in _get_resource_locations
    response = self._send_request(request, headers=headers)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 60, in _send_request
    content=content, **operation_config)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\service_client.py", line 219, in send
    pipeline_response = self.config.pipeline.run(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\__init__.py", line 197, in run
    return first_node.send(pipeline_request, **kwargs)  # type: ignore
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\__init__.py", line 150, in send
    response = self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\requests.py", line 72, in send
    return self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\requests.py", line 137, in send
    return self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\__init__.py", line 150, in send
    response = self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\requests.py", line 193, in send
    self.driver.send(request.http_request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 328, in send
    return super(RequestsHTTPSender, self).send(request, **requests_kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 140, in send
    raise_with_traceback(ClientRequestError, msg, err)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\exceptions.py", line 51, in raise_with_traceback
    raise error.with_traceback(exc_traceback)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 137, in send
    **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
msrest.exceptions.ClientRequestError: Error occurred in request., SSLError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))
Failed to authenticate using the supplied token.
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connection.py", line 344, in connect
    ssl_context=context)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\util\ssl_.py", line 344, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\ssl.py", line 412, in wrap_socket
    session=session
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\ssl.py", line 850, in _create
    self.do_handshake()
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\adapters.py", line 449, in send
    timeout=timeout
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 667, in urlopen
    **response_kw)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 667, in urlopen
    **response_kw)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 667, in urlopen
    **response_kw)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\urllib3\util\retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 137, in send
    **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
**requests.exceptions.SSLError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))**

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\cli\team\common\credentials.py", line 42, in credential_set
    location_client.get_connection_data()
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\location\v4_1\location_client.py", line 46, in get_connection_data
    query_parameters=query_parameters)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 72, in _send
    query_parameters=query_parameters)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 111, in _create_request_message
    location = self._get_resource_location(location_id)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 141, in _get_resource_location
    VssClient._locations_cache[self.config.base_url] = self._get_resource_locations(all_host_types=False)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 177, in _get_resource_locations
    response = self._send_request(request, headers=headers)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\vss_client.py", line 60, in _send_request
    content=content, **operation_config)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\service_client.py", line 219, in send
    pipeline_response = self.config.pipeline.run(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\__init__.py", line 197, in run
    return first_node.send(pipeline_request, **kwargs)  # type: ignore
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\__init__.py", line 150, in send
    response = self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\requests.py", line 72, in send
    return self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\requests.py", line 137, in send
    return self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\__init__.py", line 150, in send
    response = self.next.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\pipeline\requests.py", line 193, in send
    self.driver.send(request.http_request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 328, in send
    return super(RequestsHTTPSender, self).send(request, **requests_kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 140, in send
    raise_with_traceback(ClientRequestError, msg, err)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\exceptions.py", line 51, in raise_with_traceback
    raise error.with_traceback(exc_traceback)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\msrest\universal_http\requests.py", line 137, in send
    **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
**msrest.exceptions.ClientRequestError: Error occurred in request., SSLError: HTTPSConnectionPool(host='waw-l01.ourdomain.com', port=443): Max retries exceeded with url: /_apis (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))**

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\knack\cli.py", line 206, in invoke
    cmd_result = self.invocation.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\knack\invocation.py", line 188, in execute
    cmd_result = parsed_args.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\knack\commands.py", line 105, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\knack\commands.py", line 212, in _command_handler
    result = op(client, **command_args) if client else op(**command_args)
  File "C:\Program Files (x86)\Microsoft SDKs\VSTS\CLI\lib\site-packages\vsts\cli\team\common\credentials.py", line 45, in credential_set
    raise ValueError("Failed to authenticate using the supplied token.")
ValueError: Failed to authenticate using the supplied token.

Could you kindly validate it still works on Windows 10 Enterprise client PCs?
Perhaps it DOES NOT anymore and is related to this bug: urllib3/urllib3#1682?

We DID NOT do anything wrong in our opinion. Please remember kindly that we are using Windows 10 client PC. I am not biggest Certificate expert, but I think I have exported right pubkey from the server (I have tried both certs already in various combinations (alone and together) with no effect).

Could you kindly assist? Are we facing problem related to urllib3 issue I mentioned above? How to workaround it if so or when fix for vsts-cli could be expected?

This page https://docs.anaconda.com/anaconda/packages/py3.7_win-64/ tells me python 3.7.0 for Windows comes with urllib3 version 1.25.8 so if my reasoning is correct this urllib3 bug has been fixed in Python 3.7.4. Can you upgrade Python component and deliver working vsts-cli?
It is important to us to have a working vsts-cli with self-signed certificates (I know, I know we should not, but please it is important for us...)

Other users reported in Azure/azure-devops-cli-extension#76 that proposed solution no longer works. Perhaps it did work in *nix systems, but no in Windows?
@pprivately pprivately changed the title [Bug] vsts-cli tool does not work with (onprem) Azure DevOps Server 2019 SP1; *self-signed* certificate [Bug] vsts-cli tool does not work with (onprem) Azure DevOps Server 2019 SP1.1; *self-signed* certificate Apr 9, 2020
@tedchamb
Copy link
Member

The vsts-cli was deprecated a few years ago and replaced by the Azure DevOps Extension for Azure CLI. You will want to switch to using their extension, and follow up with them if you have any issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tedchamb @pprivately