8

I got this error when using the task 'Download Build Artifact' in the release pipeline of devops server 2019 or devops server 2020:

Error: in getBuildApi, so retrying => retries pending : 4

Detailed errors can be found when using diagnostic logging and / or by adding log statements to main.js in the agent\_work\_tasks\DownloadBuildArtifacts_a433f589-fce1-4460-9ee6-44a624aeb1fb directory:

Failed in getBuildApi with error: Error: unable to get local issuer certificate and

    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:609:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'```
sɐunıɔןɐqɐp
  • 3,332
  • 15
  • 36
  • 40
Thom Kiesewetter
  • 6,703
  • 3
  • 28
  • 41

3 Answers3

10

The problem was an certificate we used on our devops server which is not trusted by node. I think it has something to do with the root certificate because browsing to our devops server with chrome give no problems on the build agent. (The certificate is valid.)

To solve this issue set the following environment system variable and restart the agent services NODE_TLS_REJECT_UNAUTHORIZED=0

Thom Kiesewetter
  • 6,703
  • 3
  • 28
  • 41
  • I just tested this solution, and it worked. The reason was: Build Agent was not in the same Domain as the on-premise TFS Server, and the certificate of the TFS Server's Domain was not correctly configured in the Build Agent. Ignoring the certificate error on the Build Agent machine with that environment variable, and then rebooting the Build Agent server solved the issue. – sɐunıɔןɐqɐp Dec 22 '20 at 14:33
  • This can also be set as a variable in the pipeline definition. What I don't understand is why this is happening. The root cert is installed on the machine cert:\LocalMachine\root\* – Jay Feb 14 '22 at 20:16
  • While this will solve the original issue, it opens up a potential cyber security vulnerability by disabling the certificate validation. So I would consider this rather a workaround than a proper solution. The other proposed answer by importing the certificate chain would be the better solution. From the official [NodeJS docu](https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue): "If value equals '0', certificate validation is disabled for TLS connections. This makes TLS, and HTTPS by extension, insecure. The use of this environment variable is strongly discouraged." – Tobias Nov 03 '22 at 14:33
4

This is an old question, but the other option would be to download the certificate chain onto the machine and set the environment variable NODE_EXTRA_CA_CERTS to "/path/to/cert/file".

ouflak
  • 2,458
  • 10
  • 44
  • 49
Ian Inchausti
  • 41
  • 1
0

I got this error with corporate proxy setup where DevOps server is running on premise on http, so no certificate errors could happen.

The problem was variable Agent.ProxyBypassList was not configured:

Agent.ProxyUrl=http://xxxx:8080
Agent.ProxyUsername=yyyyy
Agent.ProxyPassword=***
Agent.ProxyBypassList=undefined

The task DownloadBuildArtifacts@0 was unable to use the proxy even when other tasks like git checkouts, had no problem with the setup.

So, the fix that worked for us was to properly initialize variable Agent.ProxyBypassList for the build pipeline. It is a JSON array of url domains, so it should look like this:

Setting variable Agent.ProxyBypassList

Update:

Another solution where there is no need to add variables trought DevOps user interface is to set the environment variable directly on the pipeline task in YAML script:

- task: DownloadBuildArtifacts@0
  displayName: 'Download Artifacts'
  inputs:
    buildType: specific
    project: SomeProject
    pipeline: 123
    buildVersionToDownload: latestFromBranch
    branchName: $(Build.SourceBranch)
    artifactName: 'SomeArtifactName'
    downloadPath: 'TargetFolder'
  env:
    Agent_ProxyBypassList: '["mydevopsserver"]'
drpdrp
  • 2,351
  • 3
  • 11
  • 15