Fix for certificate issue (#7638)

* Fix for certificate issue * Added localized string in Azure RG task * Improved error message
microsoft · Jul 6, 2018 · b5a292b · b5a292b
1 parent b7244f9
commit b5a292b
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 14 deletions.
diff --git a/Tasks/AzureAppServiceManageV0/task.json b/Tasks/AzureAppServiceManageV0/task.json
@@ -18,7 +18,7 @@
     "version": {
         "Major": 0,
         "Minor": 2,
-        "Patch": 35
+        "Patch": 36
     },
     "minimumAgentVersion": "1.102.0",
     "instanceNameFormat": "$(Action): $(WebAppName)",

diff --git a/Tasks/AzureAppServiceManageV0/task.loc.json b/Tasks/AzureAppServiceManageV0/task.loc.json
@@ -18,7 +18,7 @@
   "version": {
     "Major": 0,
     "Minor": 2,
-    "Patch": 35
+    "Patch": 36
   },
   "minimumAgentVersion": "1.102.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",

diff --git a/Tasks/AzureResourceGroupDeploymentV2/Strings/resources.resjson/en-US/resources.resjson b/Tasks/AzureResourceGroupDeploymentV2/Strings/resources.resjson/en-US/resources.resjson
@@ -178,5 +178,6 @@
   "loc.messages.CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
   "loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
   "loc.messages.CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-  "loc.messages.UserNameCannotBeNull": "If the 'Run agent service as a user' input is selected, then 'User name' cannot be null."
+  "loc.messages.UserNameCannotBeNull": "If the 'Run agent service as a user' input is selected, then 'User name' cannot be null.",
+  "loc.messages.ASE_SSLIssueRecommendation": "To use a certificate, the certificate must be signed by a trusted certificate authority. If getting certificate validation errors, you're probably using a self-signed certificate and to resolve them you need to set a variable named VSTS_ARM_REST_IGNORE_SSL_ERRORS to the value true in the build or release definition."
 }
diff --git a/Tasks/AzureResourceGroupDeploymentV2/task.json b/Tasks/AzureResourceGroupDeploymentV2/task.json
@@ -14,7 +14,7 @@
     "version": {
         "Major": 2,
         "Minor": 137,
-        "Patch": 0
+        "Patch": 1
     },
     "demands": [],
     "minimumAgentVersion": "2.119.1",
@@ -452,6 +452,7 @@
         "CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
         "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
         "CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-        "UserNameCannotBeNull": "If the 'Run agent service as a user' input is selected, then 'User name' cannot be null."
+        "UserNameCannotBeNull": "If the 'Run agent service as a user' input is selected, then 'User name' cannot be null.",
+        "ASE_SSLIssueRecommendation": "To use a certificate, the certificate must be signed by a trusted certificate authority. If getting certificate validation errors, you're probably using a self-signed certificate and to resolve them you need to set a variable named VSTS_ARM_REST_IGNORE_SSL_ERRORS to the value true in the build or release definition."
     }
 }
diff --git a/Tasks/AzureResourceGroupDeploymentV2/task.loc.json b/Tasks/AzureResourceGroupDeploymentV2/task.loc.json
@@ -14,7 +14,7 @@
   "version": {
     "Major": 2,
     "Minor": 137,
-    "Patch": 0
+    "Patch": 1
   },
   "demands": [],
   "minimumAgentVersion": "2.119.1",
@@ -452,6 +452,7 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforAzureStatusCode",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode",
     "CouldNotFetchAccessTokenforMSIStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIStatusCode",
-    "UserNameCannotBeNull": "ms-resource:loc.messages.UserNameCannotBeNull"
+    "UserNameCannotBeNull": "ms-resource:loc.messages.UserNameCannotBeNull",
+    "ASE_SSLIssueRecommendation": "ms-resource:loc.messages.ASE_SSLIssueRecommendation"
   }
 }
diff --git a/Tasks/AzureRmWebAppDeploymentV4/task.json b/Tasks/AzureRmWebAppDeploymentV4/task.json
@@ -18,7 +18,7 @@
     "version": {
         "Major": 4,
         "Minor": 2,
-        "Patch": 1
+        "Patch": 2
     },
     "releaseNotes": "What's new in version 4.* (preview)<br />Supports Kudu Zip Deploy<br />Supports App Service Environments<br />Improved UI for discovering different App service types supported by the task<br/>Click [here](https://aka.ms/azurermwebdeployreadme) for more Information.",
     "minimumAgentVersion": "2.104.1",

diff --git a/Tasks/AzureRmWebAppDeploymentV4/task.loc.json b/Tasks/AzureRmWebAppDeploymentV4/task.loc.json
@@ -18,7 +18,7 @@
   "version": {
     "Major": 4,
     "Minor": 2,
-    "Patch": 1
+    "Patch": 2
   },
   "releaseNotes": "ms-resource:loc.releaseNotes",
   "minimumAgentVersion": "2.104.1",

diff --git a/Tasks/Common/azure-arm-rest/AzureServiceClient.ts b/Tasks/Common/azure-arm-rest/AzureServiceClient.ts
@@ -122,12 +122,26 @@ export class ServiceClient {
         }
         request.headers['Content-Type'] = 'application/json; charset=utf-8';
 
-        var httpResponse = await webClient.sendRequest(request);
-        if (httpResponse.statusCode === 401 && httpResponse.body && httpResponse.body.error && httpResponse.body.error.code === "ExpiredAuthenticationToken") {
-            // The access token might have expire. Re-issue the request after refreshing the token.
-            token = await this.credentials.getToken(true);
-            request.headers["Authorization"] = "Bearer " + token;
+        var httpResponse = null;
+
+        try
+        {
             httpResponse = await webClient.sendRequest(request);
+            if (httpResponse.statusCode === 401 && httpResponse.body && httpResponse.body.error && httpResponse.body.error.code === "ExpiredAuthenticationToken") {
+                // The access token might have expire. Re-issue the request after refreshing the token.
+                token = await this.credentials.getToken(true);
+                request.headers["Authorization"] = "Bearer " + token;
+                httpResponse = await webClient.sendRequest(request);
+            }
+        } catch(exception) {
+            let exceptionString: string = exception.toString();
+            if(exceptionString.indexOf("Hostname/IP doesn't match certificates's altnames") != -1
+                || exceptionString.indexOf("unable to verify the first certificate") != -1
+                || exceptionString.indexOf("unable to get local issuer certificate") != -1) {
+                    tl.warning(tl.loc('ASE_SSLIssueRecommendation'));
+            } 
+
+            throw exception;
         }
 
         return httpResponse;