Certificate errors when trying to connect to octopus cloud server from bitbucket

Hi, I have a build pipeline setup in Bitbucket but when Bitbucket attempts to connect to the OctopusServer I’m getting the following error:

Detected automation environment: “BitBucket”
The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateChainErrors
Certificate subject name: CN=*.octopus.app

Final exception that is thrown is:

System.Exception: Unable to connect to the Octopus Deploy server. See the inner exception for details. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)

--- End of stack trace from previous location where exception was thrown ---

at System.Net.Security.SslState.ThrowIfExceptional()

at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)

at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)

at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)

at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)

at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)

--- End of stack trace from previous location where exception was thrown ---

at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

--- End of inner exception stack trace ---

at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

at System.Threading.Tasks.ValueTask1.get_Result()`

at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)

at System.Threading.Tasks.ValueTask1.get_Result()`

at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask)`

at System.Threading.Tasks.ValueTask1.get_Result()`

at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)

at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)

at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)

at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)`

at Octopus.Client.OctopusAsyncClient.DispatchRequest[TResponseResource](OctopusRequest request, Boolean readResponse)

at Octopus.Client.OctopusAsyncClient.Get[TResource](String path, Object pathParameters)

at Octopus.Client.OctopusAsyncRepository.LoadRootDocumentInner()

--- End of inner exception stack trace ---

at Octopus.Client.OctopusAsyncRepository.LoadRootDocumentInner()

at Octopus.Client.OctopusAsyncClient.Create(OctopusServerEndpoint serverEndpoint, OctopusClientOptions options, Boolean addHandler, String requestingTool)

at Octopus.Client.OctopusAsyncClient.Create(OctopusServerEndpoint serverEndpoint, OctopusClientOptions options, String requestingTool)

at Octopus.Cli.Commands.ApiCommand.Execute(String[] commandLineArguments) in C:\buildAgent\work\289bf0fca31007af\source\Octopus.Cli\Commands\ApiCommand.cs:line 178

at Octopus.Cli.CliProgram.Run(String[] args) in C:\buildAgent\work\289bf0fca31007af\source\Octopus.Cli\CliProgram.cs:line 52

Exit code: -3

My pipeline is using the octo:6.17.3-alpine image. I’ve tried adding --ignoreSslErrors argument to my command line but still getting the same error. Disabling HSTS makes no difference either. This was working 2 days ago and no changes have been made so I fail to understand why this has stopped working.

Any help would be appreciated.

Thanks
Gregg

Hi Gregg,

Thanks for getting n touch!

This is likely caused by an intermediate certificate that expired on our side. This has been updated, however, it requires a reprovision of your instance to apply.
If you let me know your instance name I can trigger a reprovision for you. This will involve some downtime whilst the instance rebuilds, so if this isn’t convenient for you right now I can schedule it for your maintenance period instead.

I look forward to hearing from you.

Regards,
Paul

Hi Gregg,

The reprovision has completed now if you want to re-try your build again.

Regards,
Paul

That’s fixed it. Thanks very much. Is this something that you foresee happening again?

We don’t see this being a common issue, there are full details of the issue here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

Hello Team,

This is happening for us as well. Is there a way that we can re-provision it ourselves, If not, can you do that for us also?

Hi Richa,

Welcome to the Octopus Forums!

Sorry to hear you’re having issues. I can handle that for you. Can you please either reply with your cloud server address or send it to me in a DM if privacy is a concern? You will see an outage of 5-15 minutes, is that okay?

Thanks,
Jeremy

Hi Jeremy,

Thanks for your response. I dropped an email to support box and Justin Walsh is looking into that.
Thanks for your help again.

Regards,
Richa

Thanks for the update. Justin will definitely get you going again. Have a good rest of your week.

Hi Jeremy,

Looks like we have the same problem from Azure DevOps to Octopus:

Cannot find the project with name or id 'Error: certificate has expired'. Please check the spelling and that you have permissions to view it. Please use Configuration > Test Permissions to confirm.

This error is most likely occurring while executing octo as part of an automated build process. The following doc is recommended to get some tips on how to troubleshoot this: https://g.octopushq.com/OctoexeTroubleshooting

Exit code: -

Can you re-provision our environment as well?

Best regards,
Mark

Edit: Thanks for re-provisioning our environment Paul, this solved the problem.

Hi @TFN,

We’ll need your instance name to be able to reprovision it.
The reprovision will involve about 10 minutes of downtime, are you happy for us to go ahead and do this straight away?

Regards,
Paul

We’ve got the same issue. I’ve sent you a DM with our instance name, Paul – thanks in advance for reprovisioning!

Edit: Thanks Paul, all good now!

If anybody else runs into this issue, the quickest way to reach out to us is to email your instance name (xxxxx.octopus.app) to support@octopus.com and advise whether you are happy for the instance to be immediately reprovisioned (around 10 minutes of downtime).