Failed clone git repo after changing TFS SSL certificates that were generated by openSSL

Our TFS server originally setup with self-signed certs to use https, and firstly we only setup windows agent server for TFS to run CI, all works well.

Recently our team plan to try to add linux agent into TFS to run CI on linux agent server but failed, after do some research, we found it caused by the self-signed certs, and plan to replace it. However, after we replaced the certs, we are unable to clone repo in VS and also could not run CI on the agent windows machine.

Our steps of replacing certs are:

1. Generate the root CA by openssl, then generate the server certs based on the root CA.
2. On TFS windows agent server, remove the agent.
3. On TFS server, install the root CA cert and server cert.
4. On TFS server, open IIS, import the server cert, and in the binding setting of the TFS web, replace the self-signed cert of https to new server cert.
5. Try to access the web by https, we can make sure it use the new cert.
6. On windows agent server, install the root CA cert and server cert.
7. On windows agent server, config the agent by config.cmd --gituseschannel, the agent version is 2.134.0, the authentication type is PAT or Negotiate.
8. Try to run CI test and it failed in set "Get Resource", errors like:

2019-02-12T06:42:42.8065249Z ##[section]Starting: Get Sources
2019-02-12T06:42:42.8723145Z Syncing repository: Wpf_Test123 (TfsGit)
2019-02-12T06:42:42.8889419Z Prepending Path environment variable with directory containing 'git.exe'.
2019-02-12T06:42:42.9054694Z ##[command]git version
2019-02-12T06:42:43.0987464Z git version 2.14.3.windows.1
2019-02-12T06:42:43.1221489Z ##[command]git init "C:\vsts-agent-win-x64-2.134.0_work\1\s"
2019-02-12T06:42:43.3212108Z Initialized empty Git repository in C:/vsts-agent-win-x64-2.134.0/_work/1/s/.git/
2019-02-12T06:42:43.3335023Z ##[command]git remote add origin https://***/DefaultCollection/_git/Wpf_Test123
2019-02-12T06:42:43.4327285Z ##[command]git config gc.auto 0
2019-02-12T06:42:43.5076750Z ##[command]git config --get-all 
http.https://devtfs.cmit.local/DefaultCollection/_git/Wpf_Test123.extraheader
2019-02-12T06:42:43.5797842Z ##[command]git config --get-all http.proxy
2019-02-12T06:42:43.6661206Z ##[command]git -c http.extraheader="AUTHORIZATION: bearer ***" -c http.sslbackend="schannel" fetch --tags --prune --progress --no-recurse-submodules origin
2019-02-12T06:42:43.9878987Z fatal: unable to access 'https://***/DefaultCollection/_git/Wpf_Test123/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - ���������޷����֤���Ƿ������
2019-02-12T06:42:44.0309325Z ##[error]Git fetch failed with exit code: 128
2019-02-12T06:42:44.0356930Z ##[section]Finishing: Get Sources

In Visual Studio, try to clone the repo, with similar errors:

Error encountered while cloning the remote repository: Git failed with a fatal error.
unable to access 'https://***/DefaultCollection/Banyan/_git/ControlCenterHome/': schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN

We found a similar issue reported on Github that is using github desktop: https://github.com/desktop/desktop/issues/4821

In this thread https://github.com/desktop/desktop/issues/4817, we have tried deleting

[http]
sslCAinfo = /ssl/certs/ca-bundle.crt

in the config file, but the issue persists.

The result of running git config -l --show-origin is

file:"C:\ProgramData/Git/config" core.symlinks=false
file:"C:\ProgramData/Git/config" core.autocrlf=true
file:"C:\ProgramData/Git/config" core.fscache=true
file:"C:\ProgramData/Git/config" color.diff=auto
file:"C:\ProgramData/Git/config" color.status=auto
file:"C:\ProgramData/Git/config" color.branch=auto
file:"C:\ProgramData/Git/config" color.interactive=true
file:"C:\ProgramData/Git/config" help.format=html
file:"C:\ProgramData/Git/config" rebase.autosquash=true
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" core.symlinks=false
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" core.autocrlf=true
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" color.diff=auto
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" color.status=auto
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" color.branch=auto
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" color.interactive=true
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" pack.packsizelimit=2g
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" help.format=html
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" diff.astextplain.textconv=astextplain
file:"C:\vsts-agent-win-x64-2.134.0\externals\git\mingw64/etc/gitconfig" rebase.autosquash=true
file:C:/Users/Administrator/.gitconfig http.sslbackend=schannel

Our TFS environment is :

• TFS 2018 update 1
• TFS Agent version is 2.134.0. Git version 2.14.3.windows.1
• authentication type is PAT or Negotiate.

The question is :

we can add sslVerify = false in gitconfig as a workaround, but that does not meet out requirement. We need ssl certificate to work with TFS.

Trying to resolve the error mentioned in VS: Error encountered while cloning the remote repository: Git failed with a fatal error. unable to access 'https://***/DefaultCollection/Banyan/_git/ControlCenterHome/': schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN

UPDATE

We did that, here are brief info:

1. On linux, use openssl create root CA:

openssl genrsa -out ca-dev.key 2048

openssl req -new -out ca.csr -key ca.key -keyform PEM /Common Name is not the same as server cert/

openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650

openssl pkcs12 -export -clcerts -in ca.crt -inkey ca.key -out ca-dev.p12

2. Base on above root CA, use openssl create server cert(similar steps but use server FQDN as the Common Name)
3. On TFS server: install ca.crt, select "trusted root certification authority" as the storage location. Then install server.crt with default location(which finally store in under "intermediate certification authority")
4. On TFS windows agent server, similar steps of #3, but when configure TFS Agent with "config.cmd --gituseschannel", it will failed to connect the tfs server with https, then I fix it by install the server.crt again but change the storage location to "trusted root certification authority".

CERT_TRUST_IS_PARTIAL_CHAIN hints that you miss the root or some intermediate cert of the chain. In step 3 you say

On TFS server, install the root CA cert and server cert.

This is correct, but you need to install the root CA on all clients.