Access denied when deploying certificate

Matt_Cresswell · 18 June 2018 15:12

Bit of an unusual one that’s testing my Google-fu.

We’ve got certificates stored with the private key within Octopus and are attempting to deploy them to a Windows 2012 Server.

Importing certificate 'CN=xxxxxx' with thumbprint '123456' into store 'LocalMachine\My'
There was an error importing the certificate into the store 

Could not read PFX 
System.Exception 
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.GetCertificatesFromPfx(Byte[] pfxBytes, String password, PfxImportFlags pfxImportFlags) 
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.ImportPfxToStore(CertificateSystemStoreLocation storeLocation, String storeName, Byte[] pfxBytes, String password, Boolean useUserKeyStore, Boolean privateKeyExportable) 
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.ImportCertificateToStore(Byte[] pfxBytes, String password, StoreLocation storeLocation, String storeName, Boolean privateKeyExportable) 
   at Calamari.Commands.ImportCertificateCommand.ImportCertificate(CalamariVariableDictionary variables) 
   at Calamari.Commands.ImportCertificateCommand.Execute(String[] commandLineArguments) 
   at Calamari.Program.Execute(String[] args) 
--Inner Exception-- 
Access denied. 
System.Security.Cryptography.CryptographicException 
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.GetCertificatesFromPfx(Byte[] pfxBytes, String password, PfxImportFlags pfxImportFlags) 
The remote script failed with exit code 100 
The action Add Certificate on XXXXX failed

The Octopus user has administrator access to the target machine and we can manually add the certificate through when logging on as that user.

Have also tried other certificates to no avail and other stores (web hosting).

Anyone seen this behavior?

henrik · 20 June 2018 02:13

Hi Matt,

Thanks for getting in touch and I’m sorry to hear that you are having these issues.

Was the certificate installed already on the server before you tried to import it with Octopus? If so, could you remove it entirely and try again?

Thank you and best regards,
Henrik

Matt_Cresswell · 20 June 2018 10:10

Hi Henrik,
We’ve tried deleting and re-deploying -same error. We’ve done some more testing this morning and it appears that the check for a valid certificate is also giving the same error.

We suspect that this may have been caused by a Window update issue as previously the check for a valid certificate worked.

Do you have any reports from other customers?

Deployment target:
Windows Server 2012 R2 (build 9600)
Below updates have been recently applied:
KB4230450 -CU for IE
KB4287903 -Flash update
KB4284878 -Security only update, struggling to find what it covers. Maybe?
KB4284815 -Monthly security roll up. -Maybe?

We’ll continue to investigate.
Cheers
Matt

henrik · 21 June 2018 00:12

Hi Matt,

Thanks for the update, I have not heard of any other reports of this issue, but I’ll check with the team as well.

Cheers,
Henrik

system · 21 July 2018 00:12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.