TFS build agent: unable to get local issuer certificate

fatal: unable to access 'https://xxxx.xxx/tfs/collection/_git/project/': SSL certificate problem: unable to get local issuer certificate
Git fetch failed with exit code: 128

When using TFS on-premise build agent, you can get the above error when you use an internal CA or self-signed certificate for your TFS installation.

The reason for this error is around what Git will trust as certificate authorities.  On Windows, Git will use a bundled certificate authority file, and not the operating systems' own trusted certificate store.  You can normally fix this with:

git config --system http.sslbackend schannel

This switches git to use the Windows "schannel" system.  Unfortunately, this doesn't work with TFS/VSTS agents.  This short coming has now been dealt with, but you cannot configure it in the standard way.  Instead you have to do set the agent to use schannel at time of registration:

.\config.cmd --gituseschannel

If you've already got an agent deployed, you will need to remove it first with:

.\config.cmd remove