Azure Cloud Service Deployment - Loading certificate with thumbprint - argument null error

Using: Octopus 3.13.8

I’m trying to deploy my azure cloude service. Per the log below, it keeps trying to lookup the cert with a null value for the thumbprint. I have a thumbprint value in the cscfg file. I’m not sure if this is a cscfg file problem or something I need to address in my Octopus instance? Let me know what details I need to provide for us to collaborate on this.

Thanks,
Lane

Octopus Server version: 3.13.8+Branch.master.Sha.c11ea2ad773baf04a1998efdaefc7db88f62ac02
September 26th 2017 13:33:08Verbose
Environment Information:
OperatingSystem: Microsoft Windows NT 6.1.7601 Service Pack 1
OsBitVersion: x64
Is64BitProcess: True
CurrentUser: NT AUTHORITY\SYSTEM
MachineName: SEA-CHRIS-TEST1
ProcessorCount: 1
CurrentDirectory: C:\Windows\system32
TempDirectory: C:\Windows\TEMP
HostProcessName: Octopus.Server
September 26th 2017 13:33:08Verbose
Using account ID 'Octopus Deploy’
September 26th 2017 13:33:09Verbose
Octopus Deploy: Calamari.Azure version 3.7.70+Branch.master.Sha.20b49d10257f6fe09bc9cbf191174ae1cb5490de
September 26th 2017 13:33:09Verbose
Environment Information:
September 26th 2017 13:33:09Verbose
OperatingSystem: Microsoft Windows NT 6.1.7601 Service Pack 1
September 26th 2017 13:33:09Verbose
OsBitVersion: x64
September 26th 2017 13:33:09Verbose
Is64BitProcess: True
September 26th 2017 13:33:09Verbose
CurrentUser: NT AUTHORITY\SYSTEM
September 26th 2017 13:33:09Verbose
MachineName: SEA-CHRIS-TEST1
September 26th 2017 13:33:09Verbose
ProcessorCount: 1
September 26th 2017 13:33:09Verbose
CurrentDirectory: C:\Octopus\Work\20170926203308-6
September 26th 2017 13:33:09Verbose
TempDirectory: C:\Windows\TEMP
September 26th 2017 13:33:09Verbose
HostProcessName: Calamari.Azure
September 26th 2017 13:33:09Info
Deploying package: C:\Octopus\Packages\PPA.CCEP.CloudService\PPA.CCEP.CloudService.1.5.0.1470.nupkg
September 26th 2017 13:33:10Verbose
Name Value
September 26th 2017 13:33:10Verbose

September 26th 2017 13:33:10Verbose
PSVersion 5.1.14409.1012
September 26th 2017 13:33:10Verbose
PSEdition Desktop
September 26th 2017 13:33:10Verbose
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
September 26th 2017 13:33:10Verbose
BuildVersion 10.0.14409.1012
September 26th 2017 13:33:10Verbose
CLRVersion 4.0.30319.42000
September 26th 2017 13:33:10Verbose
WSManStackVersion 3.0
September 26th 2017 13:33:10Verbose
PSRemotingProtocolVersion 2.3
September 26th 2017 13:33:10Verbose
SerializationVersion 1.1.0.1
September 26th 2017 13:33:10Verbose
PowerShell Environment Information:
September 26th 2017 13:33:10Verbose
OperatingSystem: Microsoft Windows NT 6.1.7601 Service Pack 1
September 26th 2017 13:33:10Verbose
OsBitVersion: x64
September 26th 2017 13:33:10Verbose
Is64BitProcess: True
September 26th 2017 13:33:10Verbose
CurrentUser: NT AUTHORITY\SYSTEM
September 26th 2017 13:33:10Verbose
MachineName: SEA-CHRIS-TEST1
September 26th 2017 13:33:10Verbose
ProcessorCount: 1
September 26th 2017 13:33:10Verbose
CurrentDirectory: C:\Windows\system32\config\systemprofile\AppData\Local\Calamari.Azure\Temp\b402e9d6-d544-4789-9506-6a9950c01dcd
September 26th 2017 13:33:10Verbose
CurrentLocation: C:\Windows\system32\config\systemprofile\AppData\Local\Calamari.Azure\Temp\b402e9d6-d544-4789-9506-6a9950c01dcd
September 26th 2017 13:33:10Verbose
TempDirectory: C:\Windows\TEMP
September 26th 2017 13:33:10Verbose
HostProcessName: powershell
September 26th 2017 13:33:10Verbose
TotalPhysicalMemory: 4193848 KB
September 26th 2017 13:33:10Verbose
AvailablePhysicalMemory: 2769100 KB
September 26th 2017 13:33:10Verbose
Adding bundled Azure PowerShell modules to PSModulePath
September 26th 2017 13:33:12Verbose
Authenticating with Service Principal
September 26th 2017 13:33:12Verbose
WARNING: Parameter ‘Environment’ is obsolete. This parameter is only for
September 26th 2017 13:33:12Verbose
backwards compatibility; users should use EnvironmentName instead.
September 26th 2017 13:33:12Verbose
Environment : AzureCloud
September 26th 2017 13:33:12Verbose
Account : ea75d658-54c3-4c90-9b81-c43586b46daa
September 26th 2017 13:33:12Verbose
TenantId : bcace1c8-076d-40ee-818d-41c366765fdd
September 26th 2017 13:33:12Verbose
SubscriptionId : 138b3aae-f4e4-4f0e-bc1e-fd4841029298
September 26th 2017 13:33:12Verbose
SubscriptionName : PPA-PreProd-EA
September 26th 2017 13:33:12Verbose
CurrentStorageAccount :
September 26th 2017 13:33:12Verbose
Invoking target script “C:\Windows\system32\config\systemprofile\AppData\Local\Calamari.Azure\Temp\b402e9d6-d544-4789-9506-6a9950c01dcd\SwapAzureCloudServiceDeployment.ps1” with parameters
September 26th 2017 13:33:12Verbose
Extracting package to: C:\Octopus\Work\20170926203308-6\staging
September 26th 2017 13:33:12Verbose
Extracted 8 files
September 26th 2017 13:33:12Verbose
Ensuring cloud-service-package is V20120315 format.
September 26th 2017 13:33:12Verbose
Package is Legacy format. Converting to V20120315 format.
September 26th 2017 13:33:45Verbose
Extracting Cloud Service package: 'C:\Octopus\Work\20170926203308-6\staging\PPA.CCEP.CloudService.ccproj.cspkg’
September 26th 2017 13:33:53Verbose
Found Azure Cloud Service Configuration file: C:\Octopus\Work\20170926203308-6\staging\ServiceConfiguration.uat.cscfg
September 26th 2017 13:33:53Verbose
Loading certificate with thumbprint:
September 26th 2017 13:33:53Error
System.ArgumentNullException: Value cannot be null.
September 26th 2017 13:33:54Error
Parameter name: findValue
September 26th 2017 13:33:54Error
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.FindCertInStore(SafeCertStoreHandle safeSourceStoreHandle, X509FindType findType, Object findValue, Boolean validOnly)
September 26th 2017 13:33:54Error
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Find(X509FindType findType, Object findValue, Boolean validOnly)
September 26th 2017 13:33:54Error
at Calamari.Integration.Certificates.CalamariCertificateStore.GetOrAdd(String thumbprint, String bytes, X509Store store) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\CalamariCertificateStore.cs:line 32
September 26th 2017 13:33:54Error
at Calamari.Azure.Integration.SubscriptionCloudCredentialsFactory.GetCredentials(String subscriptionId, String certificateThumbprint, String certificateBytes) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Integration\SubscriptionCloudCredentialsFactory.cs:line 17
September 26th 2017 13:33:54Error
at Calamari.Azure.Deployment.Conventions.ConfigureAzureCloudServiceConvention.UpdateConfigurationWithCurrentInstanceCount(XContainer localConfigurationFile, String configurationFileName, VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\ConfigureAzureCloudServiceConvention.cs:line 81
September 26th 2017 13:33:54Error
at Calamari.Azure.Deployment.Conventions.ConfigureAzureCloudServiceConvention.Install(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\ConfigureAzureCloudServiceConvention.cs:line 36
September 26th 2017 13:33:54Error
at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
September 26th 2017 13:33:54Error
at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 28
September 26th 2017 13:33:54Error
Running rollback conventions…
September 26th 2017 13:33:54Error
Value cannot be null.
September 26th 2017 13:33:54Error
Parameter name: findValue
September 26th 2017 13:33:54Error
System.ArgumentNullException
September 26th 2017 13:33:54Error
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.FindCertInStore(SafeCertStoreHandle safeSourceStoreHandle, X509FindType findType, Object findValue, Boolean validOnly)
September 26th 2017 13:33:54Error
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Find(X509FindType findType, Object findValue, Boolean validOnly)
September 26th 2017 13:33:54Error
at Calamari.Integration.Certificates.CalamariCertificateStore.GetOrAdd(String thumbprint, String bytes, X509Store store) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\CalamariCertificateStore.cs:line 32
September 26th 2017 13:33:54Error
at Calamari.Azure.Integration.SubscriptionCloudCredentialsFactory.GetCredentials(String subscriptionId, String certificateThumbprint, String certificateBytes) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Integration\SubscriptionCloudCredentialsFactory.cs:line 17
September 26th 2017 13:33:54Error
at Calamari.Azure.Deployment.Conventions.ConfigureAzureCloudServiceConvention.UpdateConfigurationWithCurrentInstanceCount(XContainer localConfigurationFile, String configurationFileName, VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\ConfigureAzureCloudServiceConvention.cs:line 81
September 26th 2017 13:33:54Error
at Calamari.Azure.Deployment.Conventions.ConfigureAzureCloudServiceConvention.Install(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Deployment\Conventions\ConfigureAzureCloudServiceConvention.cs:line 36
September 26th 2017 13:33:54Error
at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
September 26th 2017 13:33:54Error
at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 50
September 26th 2017 13:33:54Error
at Calamari.Azure.Commands.DeployAzureCloudServiceCommand.Execute(String[] commandLineArguments) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari.Azure\Commands\DeployAzureCloudServiceCommand.cs:line 98
September 26th 2017 13:33:54Error
at Calamari.Program.Execute(String[] args) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Program.cs:line 45
September 26th 2017 13:33:54Verbose
Updating manifest with output variables
September 26th 2017 13:33:54Verbose
Updating manifest with action evaluated variables
September 26th 2017 13:33:54Fatal
The remote script failed with exit code 100
September 26th 2017 13:33:54Verbose
at Octopus.Worker.Scripting.ScriptResult.EnsureSuccessful()
at Octopus.Server.Orchestration.Deploy.DeploymentTaskController.<>c__DisplayClass28_0.b__0()
at Octopus.Server.Orchestration.Deploy.DeploymentTaskController.ExecuteWithTransientErrorDetection(Action action, Machine machine)
at Octopus.Server.Orchestration.Deploy.DeploymentTaskController.ExecuteActionAndInitLoggingContext(PlannedStep step, Machine machine, PlannedAction action)
September 26th 2017 13:33:54Fatal
deploy cloud service on the Octopus Server

log output is hard to read in the input box so i’ve attached the raw log.txt

ServerTasks-22136.log.txt (12 KB)

looks like the thumbprint value is supposed to come from the Octopus.Action, but I’m not finding where I assign a thumbprint value. I see in my ‘Account’ that I can provide the SubscriptionId, ClientId, TenantId for the Service Principal that I’m using for the task. And I’ve used this Service Principal to octopus deploy other azure targets such as resource groups, resource templates, web apps.

public static class Azure
            {
                public static readonly string UseBundledAzurePowerShellModules = "Octopus.Action.Azure.UseBundledAzurePowerShellModules";

                public static readonly string SubscriptionId = "Octopus.Action.Azure.SubscriptionId";
                public static readonly string ClientId = "Octopus.Action.Azure.ClientId";
                public static readonly string TenantId = "Octopus.Action.Azure.TenantId";
                public static readonly string Password = "Octopus.Action.Azure.Password";
                public static readonly string CertificateBytes = "Octopus.Action.Azure.CertificateBytes";
                public static readonly string CertificateThumbprint = "Octopus.Action.Azure.CertificateThumbprint";

Hi,

Thanks for getting in touch. The Service Principal is actually what I noticed in the log you had sent. Cloud Services do not support Service Principals. In our UI for the step you should see that the Service Principal accounts are filtered out of the dropdown. It seems like the variable binding and API don’t always enforce this though.

I’ve added an issue, that you can track on GitHub, to return a better error message to explain this. We’ve had talks with Microsoft and understand that whilst changes have been made in the Azure portal to allow Cloud Service deployments using Service Principals, this isn’t something they will be supporting through the cmdlets and APIs that the public have access to (i.e. only Azure portal will ever be able to do that, you cannot automate it).

So, in order to deploy the Cloud Service you’ll need to create a Management Certificate account. Hope that helps and let me know if I can assist further.

Regards
Shannon

Hi Shannon,

thanks for the explanation and i thought that might be the case but just
couldn’t/hadn’t found any documentation that suggested this.

so, i already started to creating a management certificate just to try the
alternative. unfortunately i’m getting the message that the certificate is
not valid or associated with the subscription. i followed the instructions
on octopus and i have loaded the cert to the cloud service in the
subscription. i did not set/create a password on the cert. does it take
time after uploading to azure for it to work? or, is there something else
you think i’ve done wrong?

thanks
Lane

Hi Lane,

I don’t recall there being any period of time to wait for the certificate to work. Can I just check what you meant by “loaded the cert to the cloud service in the subscription”? You should just have to get Octopus to generate the certificate and then download it locally and upload into the old Azure portal. (In case it isn’t obvious, on the page for the account where it has 1. Download the certificate public key, the thumbprint value in bold on the next line is actually the hyperlink to download the certificate file that you need to upload to Azure.)

Can you confirm whether the certificate appears in the settings section of the subscription, per the last screenshot in this section of the documentation?

Regards
Shannon

in the new azure portal all i found related to certs was under cloud services (see attached azure.cloudservice.certs.png - attached) so i took a stab at uploading the cert there. the octo documentation shows the classic azure portal - when i try to logon to the classic portal i’m told i’m not an admin or co-admin of any subscriptions. so i’ll have to consult with my infrastructure team.

thanks,
Lane

azure.cloudservice.certs.png764×941 59.8 KB

azure-classic.PNG903×757 60.1 KB

Hi Lane,

Thanks for clarifying, I haven’t used Cloud Services in a non-dev environment, so hadn’t actually come across that Certificates section. In the old portal the certificates actually go against the subscription itself and can be used for accessing the subscription to do deployments etc, whereas I think those ones listed against the Cloud Service are ones available to it to use.

As I mentioned in the earlier email, we’ve had talks with Microsoft about Cloud Services as we have a number of customers using them and having issues. Their position was that Cloud Services are no longer under active development, and haven’t been for quite a while, and they highly recommend moving to Service Fabric.

Regards
Shannon