TFS build agent: unable to get local issuer certificate
fatal: unable to access 'https://xxxx.xxx/tfs/collection/_git/project/': SSL certificate problem: unable to get local issuer certificate Git fetch failed with exit code: 128
When using TFS on-premise build agent, you can get the above error when you use an internal CA or self-signed certificate for your TFS installation.
The reason for this error is around what Git will trust as certificate authorities. On Windows, Git will use a bundled certificate authority file, and not the operating systems' own trusted certificate store. You can normally fix this with:
git config --system http.sslbackend schannel
This switches git to use the Windows "schannel" system. Unfortunately, this doesn't work with TFS/VSTS agents. This short coming has now been dealt with, but you cannot configure it in the standard way. Instead you have to do set the agent to use schannel at time of registration:
.\config.cmd --gituseschannel
If you've already got an agent deployed, you will need to remove it first with:
.\config.cmd remove