Unable to download secure files from azure devops

Question

Good morning, I have problems checking out a secure file during the build process in azure devops 2019. My task is defined as:

- task: DownloadSecureFile@1
  inputs:
    secureFile: 'oimPictureEditor_test'
  displayName: 'download configuration'

but it fails with:

2022-12-30T10:10:27.9053899Z ##[section]Starten: download configuration
2022-12-30T10:10:28.0009766Z ==============================================================================
2022-12-30T10:10:28.0010142Z Task         : Sichere Datei herunterladen
2022-12-30T10:10:28.0010245Z Description  : Hiermit wird eine sichere Datei an einen temporären Speicherort auf dem Agent-Computer heruntergeladen.
2022-12-30T10:10:28.0010357Z Version      : 1.151.2
2022-12-30T10:10:28.0010489Z Author       : Microsoft Corporation
2022-12-30T10:10:28.0010653Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/download-secure-file
2022-12-30T10:10:28.0010783Z ==============================================================================
2022-12-30T10:10:28.5506559Z ##[error]Error: unable to get local issuer certificate
2022-12-30T10:10:28.5593478Z ##[section]Abschließen: download configuration

does anyone has any idea how to fix this?

thx in advance iisiggi

Answer 1

Place your secure files on Azure Pipeline and download it.

*Here are the steps:

1. Upload the secure file in Library on Pipeline
2. Download the files in the agent machine with using DownloadSecureFile@1 task

Download the secure files

use the download task DownloadSecureFIle@1 task like below.

- task: DownloadSEcureFile@1  
  name: <nameof the Task>  
  inputs:  
    secureFile: <secure file Name>

The secure file is downloaded to $(Agent.TempDirectory). you can check the path with using the prepared variable such as $(<task name>.secureFIlePath)

Reference taken from MSDoc.

Answer 2

This is a known issue for Azure DevOps Server, and you can try the way below to resolve the issue.

  steps:
  . . .

  - task: PowerShell@2
    displayName: 'Set CA Cert'
    inputs:
      targetType: inline
      script: |
        if ($env:AGENT_HOMEDIRECTORY -ne $null) { $TargetFolder = $env:AGENT_HOMEDIRECTORY }
        else { $TargetFolder = [System.Environment]::GetEnvironmentVariable('TEMP','Machine') }
        Get-ChildItem -Path Cert:\LocalMachine\CA | ForEach-Object {
          $Cert = "-----BEGIN CERTIFICATE-----`n"
          $Cert+= $([System.Convert]::ToBase64String($_.export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert),'InsertLineBreaks'))
          $Cert+= "`n-----END CERTIFICATE-----`n"
          $Chain+= $Cert
        }
        $CertFile = "$TargetFolder\TrustedRootCAs.pem"
        $Chain | Out-File $CertFile -Force -Encoding ASCII
        $Chain = $null
        Write-Host "##vso[task.setvariable variable=NODE.EXTRA.CA.CERTS]$CertFile"

  - task: DownloadSecureFile@1
    displayName: 'download configuration'
    inputs:
      secureFile: 'oimPictureEditor_test'

  . . .

The step 'Set CA Cert' will try to get the CA certificate and set it as the variable "NODE.EXTRA.CA.CERTS" for use.

For more details about this issue and the solution, you can reference the following tickets:

• Azure DevOps Server pipeline build fails when using self-signed SSL certificate with "unable to get local issuer certificate" during NuGet restore
• https://github.com/microsoft/azure-pipelines-tasks/issues/11508

Answer 3

I put the content of my secret file into a secret variable. That worked for me, but is for sure no general solution.

Answer 4

I set NODE_EXTRA_CA_CERTS as system variable manually, than restarted the agent service. That worked for me.