2

While installing the Azure DevOps server the <generate new self-signed certificate> option was used in the Web Site Settings:

enter image description here


After the installation was successfully completed browsing to the site seems fine on the server:


enter image description here

But opening the DevOps site from another computers in the intranet shows the following warning:

"Your Connection for this site is not valid"

enter image description here

I checked that the configuration is correct according to the Microsoft documentation: Configuring HTTPS for Azure DevOps Server.

How can I solve this problem to get rid of this warning?

Thanks

Improve this question
2
  • 1
    Did you install the certificate on both machines?
    – Ramhound
    Commented Sep 3, 2023 at 14:25
  • 1
    @Ramhound: After installing the certificate on the client machine the warning is disappeared. Thanks.
    – Jackdaw
    Commented Sep 3, 2023 at 15:45

1 Answer 1

Reset to default
1

From Web site settings and security for Azure DevOps on-premises :

Self-signed certificates

Self-signed certificates are useful for trial deployments of Azure DevOps Server, since they are very easy to provision and use. They are less appropriate for production deployments of Azure DevOps Server, and we do not recommend they be used for Azure DevOps Server deployments exposed to the public internet. Generally, self-signed certificates are susceptible to man-in-the-middle attacks. They also cause problems for users, since they will cause certificate warnings and errors until their root certificates are installed on each client machine.

In other words, every certificate is issued by a Certificate Authority. In order for it to be valid, the issuing Certificate Authority must itself be recognized as trustworthy.

A self-signed certificate is signed by the issuing computer, so is valid within that computer. Other computers will not recognize the issuing computer as a known authority, so may refuse to accept that certificate.

That is why a self-signed certificate is good for testing, where all the computers are controlled, but not good for the wider public.

For your problem, you need to set the other computer to accept your certificate. Depending on your browser, it may allow such action. Otherwise, you will need to import the certificate manually into the Certificate Store on that computer.

Improve this answer
3
  • If I understand correct, it's no problem to use these certificates on the intranet. Only necessary to export file(s) on the server by using using the Certificates MMC snap-in and then import it on each client, to be stored under Trusted Root Certification Authorities. But if customers will start the service over the Internet it's necessary to issue certificates from Trusted Certificate Authorities and use Group Policy to automate distribution to clients. Is it correct?
    – Jackdaw
    Commented Sep 3, 2023 at 13:58
  • 1
    @Jackdaw - You can always buy a certificate from a CA and skip the step of having to trust the certificate you created
    – Ramhound
    Commented Sep 3, 2023 at 14:26
  • 1
    @Jackdaw: You're right in principle. You can't demand from people not belonging to your organization to import or trust your certificates. You need to use certificates issued by a well-known Authority which is very likely already present in everyone's Trusted Certificate Authorities store.
    – harrymc
    Commented Sep 3, 2023 at 15:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .