Wednesday, February 18, 2015

TeamCity + TFS Git repository: unable to find valid certification path to requested target

Accessing TFS Git repository from TeamCity, for an on-premises TFS installation gives you the following error?

Failed for the root '"XXX Git" {instance id=225, parent internal id=48, parent id=XXX_YYY_Git, description: "https://tfsinstance/tfs/DefaultCollection/TeamProject/_git/GitRepository#refs/heads/master"}: List remote refs failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

Your corporate certificate is not known by TeamCity. This is how you fix the problem.

Save your corporate root certificate into CompanyRoot.cer file

For server side checkout: 
  1. Login to the TeamCity server machine
  2. Add this root certificate to keystore of your TeamCity 
%TeamCityInstallDir%\jre\bin\keytool.exe  -importcert -trustcacerts -file CompanyRoot.cer -alias ca_alias -keystore "%TeamCityInstallDir%\jre\lib\security\cacerts"

(replace %TeamCityInstallDir% with actual path to your TeamCity)

If you haven't ever changed it, password for the keystore is changeit :)

For agent side checkout:
  1. Install Git on agent machine to lets say C:\Programs\Git\
  2. Run on agent machine git config --global http.sslCAInfo D:\Programs\Git\bin\curl-ca-bundle.crt
  3. Edit curl-ca-bundle.crt manually, add your Company root certificate to the end of the file
Mor information can be found here: 


Monday, February 16, 2015

TeamCity and multiple VCS root - be aware

Recently we hit the problem, that in some cases when using multiple VCS roots in TeamCity build configuration, files from some roots were missing.

Well, of course we did "something" - we changed server-side checkout to agent-side checkout. And that dramatically changed how the checkout directory looks like after fetching files.

The catch is:

  • On server-side checkout, all VCS roots are processed separately by the server and then files are sent to the agent. 
  • On agent-side checkout VCS roots are processed one after one in the SAME agent checkout directory. 


Disaster scenario:
One of VCS roots (lets say RootX) is set up to map files into root og agent checkout folder.
Checkout changes from server-side to agent-side.
TeamCity sees that as clean checkout for all VCS roots.
Agent fetches root1 into Folder1, root2 into Folder2, RootX ... into root of agent checkout directory. And prior to fetch it does cleanup files, which in this case means - delete Folder1 and Folder2.

Result: 
Files from some roots are missing.

Solution: 
Do not map files to root of checkout directory, if you have more then one VCS roots.
Or use server-side checkout.