Configuring HTTPS Access to TeamCity Server

TeamCity lets you easily configure HTTPS access to the server.

Configuring HTTPS Settings

To enable HTTPS access to your server, you need an SSL certificate and a private key. TeamCity supports .pem certificates and RSA keys of the PKCS#1 or PKCS#8 format.

If you do not have a certificate, there are a couple of options available to you:

For a public facing server, you can generate a new trusted certificate. One of the possibilities is Certbot. You can follow these instructions.
For a non-public facing server, you can use an existing certificate or generate a new one locally. You can follow these instructions.

If you use a self-signed certificate, make sure your clients are configured to trust it.

When a certificate is available, configure HTTPS settings on your TeamCity server.

Go to Administration | Server Administration | HTTPS Settings. The settings can be configured via the UI or a script.
Upload the certificate.
Upload the RSA key.
Now you can specify the port for HTTPS connections. By default, TeamCity suggests port 443. You may need to change the port number.

Before saving the specified settings, TeamCity will check access. If access is denied, TeamCity will show an error and will not save the invalid settings.

You can also automate configuring these HTTPS settings using a script, which should contain the following:

curl '&lt;TeamCity_URL>/app/https/settings/uploadCertificate' -X POST -H 'Accept: application/json' -H 'Authorization: Bearer TOKEN' -F certificate=@PATH_CERT -F key=@PATH_KEY -F port=XXXX'`

The TOKEN here is your personal token with the Change HTTPS settings permission.

Save your settings. TeamCity will track the validity of your certificate and will start displaying a warning 30 days before expiration. After the certificate expires, an error will be displayed.

After the settings are saved, you’ll be presented with a list of HTTPS redirect options. Select one of the radio buttons:

Disabled (default). HTTPS redirection is not enforced and all clients can use both HTTP and HTTPS. This is the least secure option.
Only browser requests. Use this option to force all users connecting via a browser to use HTTPS. Requests from agents and custom scripts will not be redirected.
- This option can be suitable if you have a secure isolated infrastructure, or if you only have local agents connecting to the TeamCity server.
- It is also useful for a transition period, when you can configure your agents to connect to TeamCity via HTTPS.
Enable for all requests. All TeamCity clients will be redirected to HTTPS.
Before enabling this option, make sure that you have updated the URL to HTTPS on all agents; otherwise the agents using HTTP may not be able to connect to the server.
You can view the URLs used by the agents to connect to the TeamCity server on Agents | Overview | Parameters report page using teamcity.serverUrl in the filter.

After HTTPS settings are saved, the page will display the Remove button below the certificate information.

Last modified: 20 January 2023