Yes you are correct the Octopus Server thumbprint needs to be correct on the Tentacle for the Tentacle to be trusted, almost like a handshake, if it doesn’t have the correct Octopus Server thumbprint the connection will be refused by the Octopus Server.
The Octopus Server certificate never gets changed though unless you recently upgraded from a really old version of Octopus (where we were using certificates with sha1rsa) to a newer version of Octopus (where we are now using sha256). Or unless you regenerated it manually for some reason.
Are you able to just have a quick read of our Documentation surrounding this as it will help you understand what I mean here.
Can you confirm you have not upgraded your Octopus Instance recently from a really old version (I am talking 3 years old) to a newer version.
We do have a script you can run which will change the value of the Octopus Server Thumbprint on your tentacles which is shown in the documentation I linked above (only run the script in the picture below - do not follow the whole documentation as that will regenerate your Octopus Server Certificate, all we want to do is change the thumbprint the Tentacle has for the Octopus Server):
Replace ‘1234567890123456789012345678901234567890’ with the 44F0 thumbprint in your Octopus Server.
You will need to restart the Tentacle Service once you have run the command and then check the Tentacle Manager to ensure the Octopus Server certificate has been changed.
This is shown in this forum post where one user experienced the same issue as you with regards to the first error message you encountered.
Do you have any other Tentacles that are experiencing the same issue? Are you able to take a look at other deployment targets and make sure they pass their health checks and also have the same Octopus Server Thumbprints in the Tentacle Manager on that machine?
It seems a bit odd if only this one Tentacle has a different Octopus Server Thumbprint unless you have not switched this deployment target on for a while.
One other thing to note, the GitHub issue you mentioned in your first post is only for polling tentacles and not listening tentacles, from the port number of yours (10933) it seems you are using a listening Tentacle so the issue here was the Octopus Server thumbprint being incorrect in the Tentacle manager on the deployment target and not the Tentacle certificate thumbprint itself.
I only mention this because if you do have issues with your other Tentacles (and you notice the Octopus Server thumbprint is incorrect in Tentacle Manager) you will not have to update their certificate as you did, you would just need to run the tentacle.exe configure command to ensure the correct Octopus Sever certificate thumbprint is loaded into the Tentacle Manager.
I hope this helps but feel free to reach out if you have any other queries.
Once you have updated the Octopus Server thumbprint on that Tentacle you should not have to do that again even if it is switched off and on etc.
Kind Regards,
Clare Martin