We did this update in May 2020, but I forgot to publish the blogpost… so here we are
Last year we updated to Azure DevOps Server 2019 and it went more or less smooth.
In May we decided to update to the “newest” release at that time: Azure DevOps Server 2019 Update 1.1
Our AzureDevOps Server was running on a “new” Windows Server 2019 and everything was still kind of newish - so we just needed to update the AzureDevOps Server app.
The actual update was really easy, but we had some issues after the installation.
We had some issues with our Build Agents - they couldn’t connect to the AzureDevOps Server:
TF400813: Resource not available for anonymous access
As a first “workaround” (and a nice enhancement) we switched from HTTP to HTTPS internally, but this didn’t solved the problem.
The real reason was, that our “Azure DevOps Service User” didn’t had the required write permissions for this folder:
The connection issue went away, but now we introduced another problem: Our SSL Certificate was “self signed” (from our Domain Controller), so we need to register the agents like this:
.\config.cmd --gituseschannel --url https://.../tfs/ --auth Integrated --pool Default-VS2019 --replace --work _work
The important parameter is -gituseschannel, which is needed when dealing with “self signed, but Domain ‘trusted’“-certificates.
With this setting everything seemed to work as expected.
Only node.js projects or toolings were “problematic”, because node.js itself don’t use the Windows Certificate Store.
To resolve this, the root certificate from our Domain controller must be stored on the agent.
[Environment]::SetEnvironmentVariable("NODE_EXTRA_CA_CERTS", "C:\SSLCert\root-CA.pem", "Machine")
The update itself was easy, but it took us some hours to configure our Build Agents. After the initial hiccup it went smooth from there - no issues and we are ready for the next update, which is already released.
Hope this helps!