Azure Service Connection using certificate authentication fails to get cert file password #17581
Comments
|
I had the same issue on 1 server, but not on another. The key difference ended up being the PowerShell version: using 7.3.2 gives the error, but PowerShell version 7.2.9 does not. Therefore my workaround was installing 7.2.9 on both servers. |
|
I have the same problem. In my case: AzurePowerShell task 5.225.1, PowerShell version 7.3.5. Downgrading PowerShell is not an option for my team. |
|
Same issue. Can't downgrade. |
|
The immediate cause of the problem seems to be a change in the way The AzurePowerShell task calls $openSSLArgs = "pkcs12 -export -in $pemFilePath -out $pfxFilePath -password file:`"$pfxPasswordFilePath`""
Invoke-VstsTool -FileName $openSSLExePath -Arguments $openSSLArgs -RequireExitCodeZero
Invoke-Expression "& '$FileName' --% $Arguments"Here are the actual command lines, as observed via Sysinternals Process Monitor, on various PowerShell versions, with Two things are apparent here:
Fully fixing the problem with spaces in paths seems difficult to do, due to the design of Specifically, I propose the following change: which will result in the same command line being generated in all three PS versions, fixing this issue. Would this be acceptable? |
|
Any progress on this? |
|
This has become a problem in several of my azure pipelines over the weekend. Can Microsoft provide an update to this issue? |
|
As a temporary workaround, they did provide scripts to downgrade Powershell back to 7.2.17 when they announced the update. I added them as steps at the start of my pipelines and they successfully downgraded the Powershell version used by all subsequent steps and got my pipelines running again. It does need to get fixed, though; staying on 7.2 forever isn't a great plan. |
Morning, could you please give me some example? Facing same issue, but don't understand how you 'added them as steps at the start of my pipelines'. Thanks! |
|
Sure. I created a script file called - task: CmdLine@2
displayName: Downgrade to Powershell 7.2
inputs:
failOnStderr: true
workingDirectory: $(Agent.BuildDirectory)/scripts
script: downgrade-powershell.cmdthe contents of set "extractPath=C:\Program Files\PowerShell\7"
curl -sLO https://github.com/PowerShell/PowerShell/releases/download/v7.2.17/PowerShell-7.2.17-win-x64.zip
RMDIR "%extractPath%" /S /Q
7z x PowerShell-7.2.17-win-x64.zip -o"%extractPath%"
pwsh --versionMy pipelines almost all run on Windows, so I'm able to get away with just using a CmdTask and a batch file. If you've got a more heterogeneous environment, you might need to also add tasks with the macOS and Linux downgrade scripts they provided. You should be able to pick which one to run with something like this: - ${{ if eq(Agent.OS, 'Windows_NT') }}:
- script: windows-downgrade-powershell.cmd
- ${{ elseif eq(Agent.OS, 'Darwin') }}:
- script: macos-downgrade-powershell.sh
- ${{ elseif eq(Agent.OS, 'Linux') }}:
- script: linux-downgrade-powershell.sh(disclaimer: not tested) |
|
Our pipelines are broken now, too. It would be nice if either
|
|
I had a chat with Microsoft support and what works for our pipelines is to use previous version of MS hosted agent (use 'windows-2019' instead of 'windows-latest') and use 'AzurePowerShell@4'...
|
|
Thanks much!
Tomas J.
From: Andrew Bikle ***@***.***>
Sent: Thursday, February 1, 2024 3:06 PM
To: microsoft/azure-pipelines-tasks ***@***.***>
Cc: Tomáš Jetelina ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-pipelines-tasks] Azure Service Connection using certificate authentication fails to get cert file password on private agent (Issue #17581)
Sure. I created a script file called downgrade-powershell.cmd and placed it in a scripts directory, and then added this step early in each pipeline:
- task: ***@***.***
displayName: Downgrade to Powershell 7.2
inputs:
failOnStderr: true
workingDirectory: $(Agent.BuildDirectory)/scripts
script: downgrade-powershell.cmd
the contents of downgrade-powershell.cmd are
set "extractPath=C:\Program Files\PowerShell\7"
curl -sLO https://github.com/PowerShell/PowerShell/releases/download/v7.2.17/PowerShell-7.2.17-win-x64.zip
RMDIR "%extractPath%" /S /Q
7z x PowerShell-7.2.17-win-x64.zip -o"%extractPath%"
pwsh --version
My pipelines almost all run on Windows, so I'm able to get away with just using a CmdTask and a batch file. If you've got a more heterogeneous environment, you might need to also add tasks with the macOS and Linux downgrade scripts they provided. You should be able to pick which one to run with something like this:
- ${{ if eq(Agent.OS, 'Windows_NT') }}:
- script: windows-downgrade-powershell.cmd
- ${{ elseif eq(Agent.OS, 'Darwin') }}:
- script: macos-downgrade-powershell.sh
- ${{ elseif eq(Agent.OS, 'Linux') }}:
- script: linux-downgrade-powershell.sh
(disclaimer: not tested)
—
Reply to this email directly, view it on GitHub<#17581 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHI3LVGBRVGGCEZI6H6PQZDYROONHAVCNFSM6AAAAAATVRCPI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRRGQYDMNRQGE>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
|
We have the same issue in our pipelines with the Azure DevOps hosted agents. This affects productive deployments and downgrading isn't a permanent solution. |
AngleOSaxon
changed the title
|
Can you please provide an update on this? |
|
I have no updates to provide. I've created GH-19558, a pull request with a change that I believe solves the problem. It needs to be reviewed by someone at Microsoft, but I do not have a way to cause that to happen. |
|
It looks as though a change just went in that will resolve the issue. Hopefully a new version incorporating it will be released in the next month or so. |
|
My pipeline agents just updated to version 3.238.0, which incorporates the fix for this bug. I was able to successfully run pipelines using certificate authentication with Powershell 7.4, so I believe this issue is resolved. If your pipelines are still encountering this issue, make sure they're updated to the latest version. |
|
Is it only me or is this still a problem even in 7.5.0? Using the latest agent 4.248.1 |
|
I haven't had this issue reoccur so far, although I'm still on the 3.x series of agent versions instead of 4.x. The one thing that sticks out to me is the task version listed in that output--it's version 5.234.0. That seems somewhat behind--my AzurePowershellV5 tasks are reporting a version of 5.248.3. I believe the fix for this issue was applied in version 5.237.0. Unfortunately I'm not sure how the Agent fetches its copies of the tasks, so I don't know why you would still have such an old task version even with one of the latest agent version. |
|
I'm pretty sure that tasks like this only are upgraded from the DevOps server, and we are using On Premise DevOps 2022 Update 2 (and that is unfortunately the latest version). So I believe we just have to wait until the next big DevOps release, since it is called 2022 it should be anytime I guess:)... But if anyone finds information on how to upgrade tasks manually in DevOps On Premise I would be very happy! |
|
I haven't tried it personally, but they're largely just Powershell/node scripts sitting in The lightest-touch manual fix I can think of would be to locate the AzurePowerShell task directory for your task version and update the file If you can find that file, there's a function It's not my first choice for a lot of reasons, but it should work until the tasks get updated. You'll lose the change when that happens, but any update should contain the fix anyway. |
|
I actually tried adding the latest version within the same structure (with new version folder), but it did not pick up the new version... Anyway, I did the replace in the file instead and it works like a charm! Thanks!!! |
Required Information
Entering this information will route you directly to the right team and expedite traction.
Question, Bug, or Feature?
Type: Bug
Enter Task Name:
Any that take an AzureServiceConnection argument
Environment
Account Name: transcardscm
Team Project Name: AccessControl
Build Definition Name/Build number: AccessControl Site - UAT - Release, build number 20221216.15
- If using private agent, provide the OS of the machine running the agent and the agent version:
OS: Windows Server 2016 Datacenter, version 1607, build 14393.5582
Agent Version: 2.213.2
Issue Description
I am using a privately-hosted agent and an Azure Service Connection configured with certificate authentication. When it attempts to execute a pipeline that authenticates to Azure using this service connection, it fails with this error:
These pipelines and Service Connections work flawlessly on Microsoft-hosted agents.
Examining the private build agent with Procmon shows that openssl is handling the supplied password file path incorrectly, treating it as a relative file name rather than an absolute path.
In the task scripting, the password file path appears to be surrounded in quotes by line 257 in the Utility.ps1 file. Removing those quote marks allows the task to successfully read the password file and certificate, and to successfully authenticate.
Although removing the quotes does potentially allow spaces in the file path to break the command, the other paths supplied to the same command are in the same directory and are not quoted either, so this seems unlikely to cause any new issues.
Is there a known configuration change I can make to my private agent host so that openssl will process the
$pfxPasswordFilePathproperly, the way it does on the Microsoft-hosted agents? Or should I open a PR to remove the quotes from that argument in Utility.ps1?Task logs
PrivateHost_FailedAuth_Cert.zip
Error logs
The text was updated successfully, but these errors were encountered: