Connecting Team Explorer Everywhere to TFS results in Certificate error

2013-06-25

When you're trying to connect Team Explorer Everywhere (or any other Java-based application for that matter) to Team Foundation Server you might run into the following, very helpful, message:

An error occurred: sun.security.validator.ValidatorException:
     PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
     unable to find valid certification path to requested target




All the wile Visual Studio will be able to connect just fine.

This is almost certainly caused by the fact that your TFS server (or in our case our SSL appliance) isn't serving all SSL certificates in the certificate chain. The Visual Studio version of Team Explorer relies on Windows to verify the certificate chain and will find the missing link. Team Explorer Everywhere relies on Java to verify the certificate chain and it will not go out to download the intermediate certificate(s) on it's own.

You can see that the certificate chain isn't being offered by the webserver through this nifty website that checks your SSL configuration called SSL Labs:
The key factor that causes this issue is pointed out by the "Incompleted, Not trusted as supplied" remark.

As a temporary workaround you can instruct your local Java Runtime Environment to import the certificate of your TFS server and trust it as if it were a Certificate Authority. Though this works, it's a security risk and you need to apply this to every Java Runtime and SDK on every machine that wants to connect.

C:\Program Files\Java\jre7\bin>keytool -keystore ..\lib\security\cacerts -importcert -file your_servers_cert_file.cer -alias temp-tfs-cert
Enter keystore password: changeit                                                                                                                       

Be sure to remove it when your server has been updated:

C:\Program Files\Java\jre7\bin>keytool -keystore ..\lib\security\cacerts -delete -alias temp-tfs-cert
Enter keystore password: changeit                                                                                                                       

It is a better solution to actually have the underlying issue fixed. The fact that the certificate chain, as served by the server, is broken. After following all the steps on the TFS server and the SSL Appliance to make sure both serve the correct certificate chain, we can now connect Team Explorer Everywhere to TFS without any issues. After this change you should now see the following data on SSL Labs:


And Team Explorer Everywhere will be satisfied and connect to TFS without any further issues.

This fix applies to most Java based applications, so if you're getting a similar error message from Sonar or TeamCity, chances are high that you have one or more missing certificates in your Intermediate Certificate Store.

update:
In order to debug these kinds of issues, one can start Eclipse from the commandline with extended debugging turned on like this:

C:\Program Files\eclipse>java -cp . "-Djavax.net.debug=ssl:record" -jar plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar > %temp%\eclipse_ssl.log                                                                                                                    

 

Most Reading