Wednesday, February 18, 2015

TeamCity + TFS Git repository: unable to find valid certification path to requested target

Accessing TFS Git repository from TeamCity, for an on-premises TFS installation gives you the following error?

Failed for the root '"XXX Git" {instance id=225, parent internal id=48, parent id=XXX_YYY_Git, description: "https://tfsinstance/tfs/DefaultCollection/TeamProject/_git/GitRepository#refs/heads/master"}: List remote refs failed: PKIX path building failed: unable to find valid certification path to requested target 

Your corporate certificate is not known by TeamCity. This is how you fix the problem.

Save your corporate root certificate into CompanyRoot.cer file

For server side checkout: 
  1. Login to the TeamCity server machine
  2. Add this root certificate to keystore of your TeamCity 
%TeamCityInstallDir%\jre\bin\keytool.exe  -importcert -trustcacerts -file CompanyRoot.cer -alias ca_alias -keystore "%TeamCityInstallDir%\jre\lib\security\cacerts"

(replace %TeamCityInstallDir% with actual path to your TeamCity)

If you haven't ever changed it, password for the keystore is changeit :)

For agent side checkout:
  1. Install Git on agent machine to lets say C:\Programs\Git\
  2. Run on agent machine git config --global http.sslCAInfo D:\Programs\Git\bin\curl-ca-bundle.crt
  3. Edit curl-ca-bundle.crt manually, add your Company root certificate to the end of the file
Mor information can be found here: 


  1. Hi Natalia,
    I'm Michael, the Schlumberger guy from Beijing who visited SNTC build team in June!
    Just faced the classic SSL certificate problem, Google led me on your page.
    Hope you are fine!

    1. Hi Michael, nice to hear from you!
      Hope that this post helped to solve the problem :)

  2. Hi there. We have replaced GIT server (gitlab on linux) with newer certificate. Root CA & Intermediate is the same as previous certificate. After the cert replacement we recieve the error your are mentioning on your site. We had used keytool to import root ca in Teamcity server (on windows) and it says it already contains this root CA in trusted root. we have overwritten it, but error still remains the same. Where did we go wrong :/