Azure Service Connection using certificate authentication fails to get cert file password #17581
Comments
|
I had the same issue on 1 server, but not on another. The key difference ended up being the PowerShell version: using 7.3.2 gives the error, but PowerShell version 7.2.9 does not. Therefore my workaround was installing 7.2.9 on both servers. |
|
I have the same problem. In my case: AzurePowerShell task 5.225.1, PowerShell version 7.3.5. Downgrading PowerShell is not an option for my team. |
|
Same issue. Can't downgrade. |
|
The immediate cause of the problem seems to be a change in the way The AzurePowerShell task calls $openSSLArgs = "pkcs12 -export -in $pemFilePath -out $pfxFilePath -password file:`"$pfxPasswordFilePath`""
Invoke-VstsTool -FileName $openSSLExePath -Arguments $openSSLArgs -RequireExitCodeZero
Invoke-Expression "& '$FileName' --% $Arguments"Here are the actual command lines, as observed via Sysinternals Process Monitor, on various PowerShell versions, with Two things are apparent here:
Fully fixing the problem with spaces in paths seems difficult to do, due to the design of Specifically, I propose the following change: which will result in the same command line being generated in all three PS versions, fixing this issue. Would this be acceptable? |
|
Any progress on this? |
|
This has become a problem in several of my azure pipelines over the weekend. Can Microsoft provide an update to this issue? |
|
As a temporary workaround, they did provide scripts to downgrade Powershell back to 7.2.17 when they announced the update. I added them as steps at the start of my pipelines and they successfully downgraded the Powershell version used by all subsequent steps and got my pipelines running again. It does need to get fixed, though; staying on 7.2 forever isn't a great plan. |
Morning, could you please give me some example? Facing same issue, but don't understand how you 'added them as steps at the start of my pipelines'. Thanks! |
|
Sure. I created a script file called - task: CmdLine@2
displayName: Downgrade to Powershell 7.2
inputs:
failOnStderr: true
workingDirectory: $(Agent.BuildDirectory)/scripts
script: downgrade-powershell.cmdthe contents of set "extractPath=C:\Program Files\PowerShell\7"
curl -sLO https://github.com/PowerShell/PowerShell/releases/download/v7.2.17/PowerShell-7.2.17-win-x64.zip
RMDIR "%extractPath%" /S /Q
7z x PowerShell-7.2.17-win-x64.zip -o"%extractPath%"
pwsh --versionMy pipelines almost all run on Windows, so I'm able to get away with just using a CmdTask and a batch file. If you've got a more heterogeneous environment, you might need to also add tasks with the macOS and Linux downgrade scripts they provided. You should be able to pick which one to run with something like this: - ${{ if eq(Agent.OS, 'Windows_NT') }}:
- script: windows-downgrade-powershell.cmd
- ${{ elseif eq(Agent.OS, 'Darwin') }}:
- script: macos-downgrade-powershell.sh
- ${{ elseif eq(Agent.OS, 'Linux') }}:
- script: linux-downgrade-powershell.sh(disclaimer: not tested) |
|
Our pipelines are broken now, too. It would be nice if either
|
|
I had a chat with Microsoft support and what works for our pipelines is to use previous version of MS hosted agent (use 'windows-2019' instead of 'windows-latest') and use 'AzurePowerShell@4'...
|
|
Thanks much!
Tomas J.
From: Andrew Bikle ***@***.***>
Sent: Thursday, February 1, 2024 3:06 PM
To: microsoft/azure-pipelines-tasks ***@***.***>
Cc: Tomáš Jetelina ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-pipelines-tasks] Azure Service Connection using certificate authentication fails to get cert file password on private agent (Issue #17581)
Sure. I created a script file called downgrade-powershell.cmd and placed it in a scripts directory, and then added this step early in each pipeline:
- task: ***@***.***
displayName: Downgrade to Powershell 7.2
inputs:
failOnStderr: true
workingDirectory: $(Agent.BuildDirectory)/scripts
script: downgrade-powershell.cmd
the contents of downgrade-powershell.cmd are
set "extractPath=C:\Program Files\PowerShell\7"
curl -sLO https://github.com/PowerShell/PowerShell/releases/download/v7.2.17/PowerShell-7.2.17-win-x64.zip
RMDIR "%extractPath%" /S /Q
7z x PowerShell-7.2.17-win-x64.zip -o"%extractPath%"
pwsh --version
My pipelines almost all run on Windows, so I'm able to get away with just using a CmdTask and a batch file. If you've got a more heterogeneous environment, you might need to also add tasks with the macOS and Linux downgrade scripts they provided. You should be able to pick which one to run with something like this:
- ${{ if eq(Agent.OS, 'Windows_NT') }}:
- script: windows-downgrade-powershell.cmd
- ${{ elseif eq(Agent.OS, 'Darwin') }}:
- script: macos-downgrade-powershell.sh
- ${{ elseif eq(Agent.OS, 'Linux') }}:
- script: linux-downgrade-powershell.sh
(disclaimer: not tested)
—
Reply to this email directly, view it on GitHub<#17581 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHI3LVGBRVGGCEZI6H6PQZDYROONHAVCNFSM6AAAAAATVRCPI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRRGQYDMNRQGE>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
|
We have the same issue in our pipelines with the Azure DevOps hosted agents. This affects productive deployments and downgrading isn't a permanent solution. |
AngleOSaxon
changed the title
|
Can you please provide an update on this? |
|
I have no updates to provide. I've created GH-19558, a pull request with a change that I believe solves the problem. It needs to be reviewed by someone at Microsoft, but I do not have a way to cause that to happen. |
|
It looks as though a change just went in that will resolve the issue. Hopefully a new version incorporating it will be released in the next month or so. |
|
My pipeline agents just updated to version 3.238.0, which incorporates the fix for this bug. I was able to successfully run pipelines using certificate authentication with Powershell 7.4, so I believe this issue is resolved. If your pipelines are still encountering this issue, make sure they're updated to the latest version. |
Required Information
Entering this information will route you directly to the right team and expedite traction.
Question, Bug, or Feature?
Type: Bug
Enter Task Name:
Any that take an AzureServiceConnection argument
Environment
Account Name: transcardscm
Team Project Name: AccessControl
Build Definition Name/Build number: AccessControl Site - UAT - Release, build number 20221216.15
- If using private agent, provide the OS of the machine running the agent and the agent version:
OS: Windows Server 2016 Datacenter, version 1607, build 14393.5582
Agent Version: 2.213.2
Issue Description
I am using a privately-hosted agent and an Azure Service Connection configured with certificate authentication. When it attempts to execute a pipeline that authenticates to Azure using this service connection, it fails with this error:
These pipelines and Service Connections work flawlessly on Microsoft-hosted agents.
Examining the private build agent with Procmon shows that openssl is handling the supplied password file path incorrectly, treating it as a relative file name rather than an absolute path.
In the task scripting, the password file path appears to be surrounded in quotes by line 257 in the Utility.ps1 file. Removing those quote marks allows the task to successfully read the password file and certificate, and to successfully authenticate.
Although removing the quotes does potentially allow spaces in the file path to break the command, the other paths supplied to the same command are in the same directory and are not quoted either, so this seems unlikely to cause any new issues.
Is there a known configuration change I can make to my private agent host so that openssl will process the
$pfxPasswordFilePathproperly, the way it does on the Microsoft-hosted agents? Or should I open a PR to remove the quotes from that argument in Utility.ps1?Task logs
PrivateHost_FailedAuth_Cert.zip
Error logs
The text was updated successfully, but these errors were encountered: