I encountered this error when moving my Azure Pipeline from Linux (ubuntu-latest) to windows (windows-latest). The pipeline tries to connect to a self-hosted Artifactory Server – but the error is a generic one and can occur with any Services that runs SSL with certificates from certain certificate authorities. In my case it was Quo Vadis.
What is the problem? The problem is, that Windows Server 2019 has less Root CAs installed then Windows 10 or Linux. You can verify this by running
gci Cert:\CurrentUser\AuthRoot in a PowerShell on the server and compare it with the output from i.e. Windows 10. My Windows 10 has 30 entries – the Windows Server 2019 only 19.
So the solution to is simple – install the Root CA certificates on the server.
If you want to use the Azure hosted agents (i.e. windows-latest) you can use certutil to install the certificate in the pipeline. Add the certificates as .cer files to your repository and the following script to your yaml pipleine:
- script: | certutil -f -addstore root certs\quovadis_rca_der.cer certutil -f -addstore root certs\quovadis_rca2_der.cer certutil -f -addstore root certs\quovadis_rca3_der.cer certutil -f -addstore root certs\quovadis_rcag3_der.cer certutil -f -addstore root certs\quovadis_rca2g3_der.cer certutil -f -addstore root certs\quovadis_rca3g3_der.cer displayName: 'Install Quo Vadis Root CA'
That’s it – now the error should be gone.
If you don’t know the root CA, open the URL that gives you the error in a browser (i.e. Chrome). Click the lock next to the URL and select Certificate (Valid). Under “Certification path” select the Root CA and click view details.
I downloaded the certificates from issuers web site – but you can also export the certificate here. Select “Copy to File…” on the “Details” tab and follow the wizard steps. Select DER format if asked and save the file to disk.
I filed an issue on GitHub and I hope it will be resolved so that we don’t need this workaround.