An error occurred when sending a request to '', before the request could begin: Unable to receive the remote identity

Use case:

Tentacle is configured on my windows nodes and then the nodes are shut off for a few days. During the instance requirement the nodes are turned on and an API call is made to register the node as a deployment target in Octopus. I am facing this failure while doing the registration:

Performing TLS handshake
March 30th 2022 04:24:12Info
Secure connection established. Server at [::ffff:]:10933 identified by thumbprint: A5AF3690E316FC6713585770A2A085F23751BAF7, using protocol Tls12
March 30th 2022 04:24:12Info
Identifying as a client
March 30th 2022 04:24:12Error
Connection initialization failed while connecting to Halibut.Transport.Protocol.ConnectionInitializationFailedException: Unable to receive the remote identity; the identity line was empty.
—> Halibut.Transport.Protocol.ProtocolException: Unable to receive the remote identity; the identity line was empty.
at Halibut.Transport.Protocol.MessageExchangeStream.ReadRemoteIdentity()
at Halibut.Transport.Protocol.MessageExchangeStream.ExpectServerIdentity()
at Halibut.Transport.Protocol.MessageExchangeProtocol.PrepareExchangeAsClient()
— End of inner exception stack trace —
at Halibut.Transport.Protocol.MessageExchangeProtocol.PrepareExchangeAsClient()
at Halibut.Transport.Protocol.MessageExchangeProtocol.ExchangeAsClient(RequestMessage request)
at Halibut.HalibutRuntime.<>c__DisplayClass41_0.b__0(MessageExchangeProtocol protocol)
at Halibut.Transport.SecureListeningClient.ExecuteTransaction(ExchangeAction protocolHandler, CancellationToken cancellationToken)

I tried following the workaround #2 mentioned in this article:

by running the commands:

C:\Program Files\Octopus Deploy\Tentacle>tentacle new-certificate
A new certificate has been generated and installed. Thumbprint:
These changes require a restart of the Tentacle.

C:\Program Files\Octopus Deploy\Tentacle>tentacle service --restart
Restarting service OctopusDeploy Tentacle
Stopping service…
Waiting for service to become Stopped. Current status: StopPending
Waiting for service to become Stopped. Current status: Stopped
Service stopped
Waiting for service to become Running. Current status: StartPending
Waiting for service to become Running. Current status: Running
Service Started.

On retrying registration it still failed with this error:

An error occurred when sending a request to ‘’, after the request began: The server at presented an unexpected security certificate. We expected the server to present a certificate with the thumbprint ‘A5AF3690E316FC6713585770A2A085F23751BAF7’. Instead, it presented a certificate with a thumbprint of ‘FCEE0BABE421A80F30537FA46E5509022C3FEF7A’ and subject ‘CN=Octopus Tentacle’. This usually happens when the client has been configured to expect the server to have the wrong certificate, or when the certificate on the server has been regenerated and the client has not been updated.

One weird observation:

After updating the thumbprint on the server, removing the deployment target and attempting registration again, i could notice that the thumbprint got updated to the current one but the underlined reference is still the old one.

Can someone please help?

Good morning @sarthak.chatterjee,

Welcome to the Octopus Community and sorry to hear you are having issues connecting one of your Tentacles.

I was just about to ask if you managed to change the thumbprint on the Tentacle in the Octopus UI but you have just confirmed you did. The thumbprint you have highlighted is the Octopus Server thumbprint which you put into the Tentacle install wizard when it asks you. I assume you have not changed that so as long as when you installed the Tentacle on your Deployment Target Server you made sure you put that Octopus Server Thumbprint in you should be fine.

One way to check this is through Tentacle Manager on the deployment target:

So your Tentacle manager should show the 44F0 thumbprint in there. If it does not you will need to re-install the Tentacle and input the correct thumbprint for the Octopus Server.

Did you manage to run a health check on the Tentacle now you changed the thumbprint? Does it pass now or is it still failing?

I look forward to hearing from you,

Kind Regards,

Clare Martin

Hi @clare.martin !

Thanks for getting back.

This is the status on my node’s tentacle manager:

It shows the cert thumbprint : FCEE0BABE421A80F30537FA46E5509022C3FEF7A which is same as what i can see in the deployment target in octopus UI.

However the highlighted portion value is different
Octopus UI:

Tentacle manager:

I assume these values should be same for it to work? Isn’t there any other way than to delete and reconfigure tentacle ( which is not quite an option here as my tentacle will be configured a few days before than the actual registration always)?

Hi @sarthak.chatterjee,

Yes you are correct the Octopus Server thumbprint needs to be correct on the Tentacle for the Tentacle to be trusted, almost like a handshake, if it doesn’t have the correct Octopus Server thumbprint the connection will be refused by the Octopus Server.

The Octopus Server certificate never gets changed though unless you recently upgraded from a really old version of Octopus (where we were using certificates with sha1rsa) to a newer version of Octopus (where we are now using sha256). Or unless you regenerated it manually for some reason.

Are you able to just have a quick read of our Documentation surrounding this as it will help you understand what I mean here.

Can you confirm you have not upgraded your Octopus Instance recently from a really old version (I am talking 3 years old) to a newer version.

We do have a script you can run which will change the value of the Octopus Server Thumbprint on your tentacles which is shown in the documentation I linked above (only run the script in the picture below - do not follow the whole documentation as that will regenerate your Octopus Server Certificate, all we want to do is change the thumbprint the Tentacle has for the Octopus Server):

Replace ‘1234567890123456789012345678901234567890’ with the 44F0 thumbprint in your Octopus Server.

You will need to restart the Tentacle Service once you have run the command and then check the Tentacle Manager to ensure the Octopus Server certificate has been changed.

This is shown in this forum post where one user experienced the same issue as you with regards to the first error message you encountered.

Do you have any other Tentacles that are experiencing the same issue? Are you able to take a look at other deployment targets and make sure they pass their health checks and also have the same Octopus Server Thumbprints in the Tentacle Manager on that machine?

It seems a bit odd if only this one Tentacle has a different Octopus Server Thumbprint unless you have not switched this deployment target on for a while.

One other thing to note, the GitHub issue you mentioned in your first post is only for polling tentacles and not listening tentacles, from the port number of yours (10933) it seems you are using a listening Tentacle so the issue here was the Octopus Server thumbprint being incorrect in the Tentacle manager on the deployment target and not the Tentacle certificate thumbprint itself.

I only mention this because if you do have issues with your other Tentacles (and you notice the Octopus Server thumbprint is incorrect in Tentacle Manager) you will not have to update their certificate as you did, you would just need to run the tentacle.exe configure command to ensure the correct Octopus Sever certificate thumbprint is loaded into the Tentacle Manager.

I hope this helps but feel free to reach out if you have any other queries.

Once you have updated the Octopus Server thumbprint on that Tentacle you should not have to do that again even if it is switched off and on etc.

Kind Regards,

Clare Martin

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.