Today my certificate expired on one of my SSL TF servers. I decided to become my own certificate authority so I went through the process of installing the certificate authority, creating a request from IIS on the TF server, etc. I put the cert on all the web sites, set up SSRS and WSS alternate access mappings, ran the command line tools, etc. on the server…. installed the cert & CA cert on my client, cleaned the cache and then tried to connect – only reports and documents worked. WIT, Build, and SCC were all RED-Xed. Looking in the event log on the AT I found this error below. I searched around the web a lot on it, found a bunch of stuff but nothing that was specific to me. I finally figured out that I had not installed the certificate for my newly created certification authority into the “Trusted Root Certification Authorities” store on the TFS AT. Once I did that, issue resolved.
Hope this helps.
--Trev
Log Name: Application Source: TFS Build Date: 5/26/2010 4:48:31 PM Event ID: 3028 Task Category: None Level: Error Keywords: Classic User: N/A Computer: <MY TF SERVER> Description: TF53010: The following error has occurred in a Team Foundation component or extension: Date (UTC): 5/26/2010 8:48:31 PM Machine: <MY TF SERVER> Application Domain: /LM/W3SVC/441732147/ROOT/Build-6-129193805111113110 Assembly: Microsoft.TeamFoundation.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727 Process Details: Process Name: w3wp Process Id: 4112 Thread Id: 908 Account name: <TFS SERVICE ACCOUNT>
Detailed Message: TF53002: Unable to obtain registration data for application VersionControl. Web Request Details Url: https://<MY TF SERVER>:8081/Build/v2.0/BuildService.asmx [method: POST] User Agent: Team Foundation (devenv.exe, 9.0.30729.1) Headers: Content-Length=411&Content-Type=application%2fsoap%2bxml%3b+charset%3dutf-8&Accept-Encoding=gzip&Accept-Language=en-US&Expect=100-continue&Host=<MY TF SERVER>%3a8081&User-Agent=Team+Foundation+(devenv.exe%2c+9.0.30729.1)&X-TFS-Version=1.0.0.0&X-TFS-Session=a02a2033-5d33-473b-9776-f3ead413859d&TF-Instance=a02a2033-5d33-473b-9776-f3ead413859d Path: /Build/v2.0/BuildService.asmx Local Request: True Host Address: fe80::310e:3ac1:fdec:fed5%11 User: <MY DOMAIN\ME>[authentication type: NTLM]
Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)
Exception Stack Trace: at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId) at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId) at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache() at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct) at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId) at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetRegistrationEntry(String toolName) at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetDatabaseConnectionString(String toolName, String dbName)
Inner Exception Details:
Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
Exception Stack Trace: at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.TlsStream.CallProcessAuthentication(Object state) at System.Threading.ExecutionContext.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async)
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="TFS Build" /> <EventID Qualifiers="0">3028</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-05-26T20:48:31.000Z" /> <EventRecordID>52122</EventRecordID> <Channel>Application</Channel> <Computer><MY TF SERVER></Computer> <Security /> </System> <EventData> <Data>TF53010: The following error has occurred in a Team Foundation component or extension: Date (UTC): 5/26/2010 8:48:31 PM Machine: <MY TF SERVER> Application Domain: /LM/W3SVC/441732147/ROOT/Build-6-129193805111113110 Assembly: Microsoft.TeamFoundation.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727 Process Details: Process Name: w3wp Process Id: 4112 Thread Id: 908 Account name: <TFS SERVICE ACCOUNT>
Detailed Message: TF53002: Unable to obtain registration data for application VersionControl. Web Request Details Url: https://<MY TF SERVER>:8081/Build/v2.0/BuildService.asmx [method: POST] User Agent: Team Foundation (devenv.exe, 9.0.30729.1) Headers: Content-Length=411&Content-Type=application%2fsoap%2bxml%3b+charset%3dutf-8&Accept-Encoding=gzip&Accept-Language=en-US&Expect=100-continue&Host=<MY TF SERVER>%3a8081&User-Agent=Team+Foundation+(devenv.exe%2c+9.0.30729.1)&X-TFS-Version=1.0.0.0&X-TFS-Session=a02a2033-5d33-473b-9776-f3ead413859d&TF-Instance=a02a2033-5d33-473b-9776-f3ead413859d Path: /Build/v2.0/BuildService.asmx Local Request: True Host Address: fe80::310e:3ac1:fdec:fed5%11 User: <MY DOMAIN\ME>[authentication type: NTLM]
</Data> </EventData> </Event>
A reader asks: "Trevor, I am in the same situation that I want a free SSL certificate. I managed to install the certificate, but when I navigate to Web Access I get a certificate error. I read on your blog that you have to install the certificate for my newly created certification authority into the “Trusted Root Certification Authorities” Where can I find or create the certificate for my newly created certification authority."
My Certification Authority is installed on a WS08R2 machine named "TREVISOR-01" (it's a Hypervisor machine... bet you guessed that <g>). I can export the root certification authority certificate from that machine by doing this:
1. Log into the machine as an admin
2. Open an elevated command prompt
3. Execute these commands to export the root certification authority certificate to your desktop in a .cer file (changing the file name as appropriate, of course):
CD %userprofile%\desktop
certutil -ca.cert TREVISOR-01.cer
If you're going to be using this cert a lot, you may want to put it in a share somewhere too (securing the share as appropriate) so other users can access it.