Skip to end of metadata
Go to start of metadata

On this page:

This document describes how to configure various TeamCity server clients to use HTTPS for communicating with the server. The JVM configuration instructions can also be used to configure TeamCity server JVM to connect to other HTTPS/SSL services.

We assume that you have already configured HTTPS in your TeamCity web server. The most common approach for this is to set up a middle proxying server like Nginx or Apache that will handle HTTPS but will use Tomcat to handle the requests. In the setup please make sure that the middle server/proxy has correct URL rewriting configuration, see also Set Up TeamCity behind a Proxy Server section.
For small servers you can also set up HTTPS by the internal Tomcat means.
See also a feature request: TW-12976.

Authenticating with server certificate (HTTPS with no client certificate)

If your certificate is valid (i.e. it was signed by a well known Certificate Authority like Verisign), then TeamCity clients should work with HTTPS without any additional configuration. All you have to do is use https:// links to the TeamCity server instead of http://.

If your certificate is not valid (is self-signed): (i.e. is not signed by a known Certificate Authority and likely to result in "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error message)

  • To enable HTTPS connections from the TeamCity Visual Studio Addin and Windows Tray Notifier, point your Internet Explorer to the TeamCity server using https:// URL and import the server certificate into the browser. After that , the Visual Studio Addin and Windows Tray Notifier should be able to connect by HTTPS.
  • To enable HTTPS connections from Java clients (TeamCity Agents, IntelliJ IDEA, Eclipse, etc.), see the section below for configuring the JVM installation used by the connecting application.

Configuring JVM

Configuring JVM for authentication with the server certificate

If your certificate is valid (i.e. it was issues and signed by a well known Certificate Authority like Verisign), then the Java clients should work with HTTPS without any additional configuration. To use Let's Encrypt-issued certificates, make sure to upgrade the JVM used by the client to the latest.

If your certificate is not valid (is self-signed):
To enable HTTPS connections from Java clients, you will need to install the server certificate (or your organization's certificate the server's certificate is signed by) into the JVM as a trusted certificate. These are generic Java application steps (not TeamCity-specific):

  • save the CA Root certificate of the server's certificate to a file in one of the supported formats (the file is referred as <cert file> below). This can be done in a browser by inspecting certificate data and exporting it as Base64 encoded X.509 certificate.
  • locate the JRE used by the process. The best way to get the path to the proper Java installation is to look up the command line of the running process.
    • If there is a JDK installed (like for IntelliJ IDEA), <path to JRE installation> should be <path to used JDK>/jre
    • For TeamCity agent or server installed under Windows, the default location for <path to JRE installation> is <TeamCity installation path>/jre
  • import the server certificate into the default JRE installation keystore using JVM's keytool tool:

    By default, Java keystore is protected by password "changeit" which you need to type on prompt

  • restart the JVM

Configuring JVM for authentication with client certificate

Importing client certificate
If you need to use a client certificate to access a server via https (e.g. from IntelliJ IDEA, Eclipse or the build agents), you will need to add the certificate to the Java keystore and supply the keystore to the JVM used by the connecting process.

1. If you have your certificate in a p12 file, you can use the following command to convert it to a Java keystore. Make sure you use keytool from JDK 1.6-1.8: earlier versions may not understand p12 format.

This commands extracts the certificate with the alias "1" from your .p12 file and adds it to Java keystore
You should know <path to your .p12 certificate> and <password of your p12 certificate> and you can provide new values for <path to keystore file> and <keystore password>.

Here, keypass should be equal to storepass because only storepass is supplied to the JVM, and if keypass is different, the following error may accur: "java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)".

Importing root certificate to organize a chain of trust
If your certificate is not signed by a trusted authority, you will also need to add the root certificate from your certificate chain to a trusted keystore and supply this trusted keystore to JVM.

2. You should first extract the root certificate from your certificate. You can do this from a web browser if you have the certificate installed, or you can do this with the OpenSSL tool using the command:

You should know <path to your .p12 certificate> and its password (to enter it when prompted). You should specify new values for <path to your certificate in .pem format> and for the pem pass phrase when prompted.

3. Then you should extract the root certificate (the root certificate should have the same issuer and subject fields) from the pem file (it has text format) to a separate file. The file should look like:

Let's assume its name is <path to root certificate>.

4. Now import the root certificate to the trusted keystore with the command:

Here you can use new values for <trust keystore path> and <trust keystore password> (or use existing trust keystore).

Starting the connecting application JVM

Now you need to pass the following parameters to the JVM when running the application:

For IntelliJ IDEA, you can add the lines into the bin\idea.exe.vmoptions file (one option per line).
For the TeamCity build agent, see agent startup properties.

 

Useful tools in analyzing certificates issues

Online HTTPS server configuration analysis: https://www.ssllabs.com/ssltest/analyze.html
SSLPoke Java class

 

3 Comments

  1. A related feature request: TW-12976 Out of the box support for HTTPS for the server

  2. "For IntelliJ IDEA, you can add the lines into the bin\idea.exe.vmoptions file (one option per line)."

    ^^^^^^ does this make any sense? Isn't the site about setting up SSL in TeamCIty?

  3. I'm searching for a method of using Teamcity's API with Certificate Authentication.  This is the closest article I've found on the subject.  All my previous search results are on setting TeamCity to use HTTPS.  I can already access my CI/CD using HTTPS and can access the API via HTTPS as long as I have configured --user in ${HOME}/.curlrc.  If I remove this file and attempt to access the API, I get the following error message:

    curl https://teamcity.MYDOMAIN.com/app/rest/builds/?locator=buildType:MYPROJECT_Build,branch:develop,status:success,state:finished,count:1
    Authentication required

    To login manually go to "/login.html" page

    So, how would I go about setting up certificate authentication so I don't have to expose a username and password for my API consumption cases?

     

    Thanks,

    ak