Unable to download secure files from azure devops

iiSiggi
December 30, 2022
50 views
4 votes
4 Answers

Good morning,
I have problems checking out a secure file during the build process in azure devops 2019. My task is defined as:

- task: DownloadSecureFile@1
  inputs:
    secureFile: 'oimPictureEditor_test'
  displayName: 'download configuration'

but it fails with:

2022-12-30T10:10:27.9053899Z ##[section]Starten: download configuration
2022-12-30T10:10:28.0009766Z ==============================================================================
2022-12-30T10:10:28.0010142Z Task         : Sichere Datei herunterladen
2022-12-30T10:10:28.0010245Z Description  : Hiermit wird eine sichere Datei an einen temporären Speicherort auf dem Agent-Computer heruntergeladen.
2022-12-30T10:10:28.0010357Z Version      : 1.151.2
2022-12-30T10:10:28.0010489Z Author       : Microsoft Corporation
2022-12-30T10:10:28.0010653Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/download-secure-file
2022-12-30T10:10:28.0010783Z ==============================================================================
2022-12-30T10:10:28.5506559Z ##[error]Error: unable to get local issuer certificate
2022-12-30T10:10:28.5593478Z ##[section]Abschließen: download configuration

does anyone has any idea how to fix this?

thx in advance
iisiggi

Answers

Chosen as BEST ANSWER
- iiSiggi
- December 30, 2022 at 4:20 pm
- 0 votes
0
I put the content of my secret file into a secret variable. That worked for me, but is for sure no general solution.

(Edit)

- RajeshM
- December 30, 2022 at 12:24 pm
- 0 votes
0
Place your secure files on Azure Pipeline and download it.

*Here are the steps:
1. Upload the secure file in Library on Pipeline
2. Download the files in the agent machine with using DownloadSecureFile@1 task
Download the secure files

use the download task DownloadSecureFIle@1 task like below.
```
- task: DownloadSEcureFile@1  
  name: <nameof the Task>  
  inputs:  
    secureFile: <secure file Name>
```
The secure file is downloaded to $(Agent.TempDirectory). you can check the path with using the prepared variable such as $(<task name>.secureFIlePath)

Reference taken from MSDoc.
Login or Signup to reply.

This is a known issue for Azure DevOps Server, and you can try the way below to resolve the issue.

  steps:
  . . .

  - task: PowerShell@2
    displayName: 'Set CA Cert'
    inputs:
      targetType: inline
      script: |
        if ($env:AGENT_HOMEDIRECTORY -ne $null) { $TargetFolder = $env:AGENT_HOMEDIRECTORY }
        else { $TargetFolder = [System.Environment]::GetEnvironmentVariable('TEMP','Machine') }
        Get-ChildItem -Path Cert:LocalMachineCA | ForEach-Object {
          $Cert = "-----BEGIN CERTIFICATE-----`n"
          $Cert+= $([System.Convert]::ToBase64String($_.export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert),'InsertLineBreaks'))
          $Cert+= "`n-----END CERTIFICATE-----`n"
          $Chain+= $Cert
        }
        $CertFile = "$TargetFolderTrustedRootCAs.pem"
        $Chain | Out-File $CertFile -Force -Encoding ASCII
        $Chain = $null
        Write-Host "##vso[task.setvariable variable=NODE.EXTRA.CA.CERTS]$CertFile"

  - task: DownloadSecureFile@1
    displayName: 'download configuration'
    inputs:
      secureFile: 'oimPictureEditor_test'

  . . .

The step ‘Set CA Cert‘ will try to get the CA certificate and set it as the variable "NODE.EXTRA.CA.CERTS" for use.

For more details about this issue and the solution, you can reference the following tickets:

- Hurry
- April 25, 2023 at 5:11 pm
- 0 votes
0
I set NODE_EXTRA_CA_CERTS as system variable manually, than restarted the agent service. That worked for me.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.