Certificate errors when trying to connect to octopus cloud server from bitbucket

gregg_nicholson 1 June 2020 05:23 1

Hi, I have a build pipeline setup in Bitbucket but when Bitbucket attempts to connect to the OctopusServer I’m getting the following error:

Detected automation environment: “BitBucket”
The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateChainErrors
Certificate subject name: CN=*.octopus.app

Final exception that is thrown is:

System.Exception: Unable to connect to the Octopus Deploy server. See the inner exception for details. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)

--- End of stack trace from previous location where exception was thrown ---

at System.Net.Security.SslState.ThrowIfExceptional()

at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)

at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)

at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)

at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)

at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)

--- End of stack trace from previous location where exception was thrown ---

at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

--- End of inner exception stack trace ---

at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

at System.Threading.Tasks.ValueTask1.get_Result()`

at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)

at System.Threading.Tasks.ValueTask1.get_Result()`

at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask)`

at System.Threading.Tasks.ValueTask1.get_Result()`

at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)

at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)

at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)

at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)`

at Octopus.Client.OctopusAsyncClient.DispatchRequest[TResponseResource](OctopusRequest request, Boolean readResponse)

at Octopus.Client.OctopusAsyncClient.Get[TResource](String path, Object pathParameters)

at Octopus.Client.OctopusAsyncRepository.LoadRootDocumentInner()

--- End of inner exception stack trace ---

at Octopus.Client.OctopusAsyncRepository.LoadRootDocumentInner()

at Octopus.Client.OctopusAsyncClient.Create(OctopusServerEndpoint serverEndpoint, OctopusClientOptions options, Boolean addHandler, String requestingTool)

at Octopus.Client.OctopusAsyncClient.Create(OctopusServerEndpoint serverEndpoint, OctopusClientOptions options, String requestingTool)

at Octopus.Cli.Commands.ApiCommand.Execute(String[] commandLineArguments) in C:\buildAgent\work\289bf0fca31007af\source\Octopus.Cli\Commands\ApiCommand.cs:line 178

at Octopus.Cli.CliProgram.Run(String[] args) in C:\buildAgent\work\289bf0fca31007af\source\Octopus.Cli\CliProgram.cs:line 52

Exit code: -3

My pipeline is using the octo:6.17.3-alpine image. I’ve tried adding --ignoreSslErrors argument to my command line but still getting the same error. Disabling HSTS makes no difference either. This was working 2 days ago and no changes have been made so I fail to understand why this has stopped working.

Any help would be appreciated.

Thanks
Gregg

Urgent: TeamCIty Plugin RemoteCertificateChainErrors

paul.calvert (Paul Calvert) 1 June 2020 07:03 2

Hi Gregg,

Thanks for getting n touch!

This is likely caused by an intermediate certificate that expired on our side. This has been updated, however, it requires a reprovision of your instance to apply.
If you let me know your instance name I can trigger a reprovision for you. This will involve some downtime whilst the instance rebuilds, so if this isn’t convenient for you right now I can schedule it for your maintenance period instead.

I look forward to hearing from you.

Regards,
Paul

paul.calvert (Paul Calvert) 1 June 2020 07:36 4

Hi Gregg,

The reprovision has completed now if you want to re-try your build again.

Regards,
Paul

gregg_nicholson 1 June 2020 07:43 5

That’s fixed it. Thanks very much. Is this something that you foresee happening again?

paul.calvert (Paul Calvert) 1 June 2020 07:58 6

We don’t see this being a common issue, there are full details of the issue here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

richa.khurana (Richa Khurana) 1 June 2020 17:41 7

Hello Team,

This is happening for us as well. Is there a way that we can re-provision it ourselves, If not, can you do that for us also?

jeremy.miller (Jeremy Miller) 1 June 2020 18:43 8

Hi Richa,

Welcome to the Octopus Forums!

Sorry to hear you’re having issues. I can handle that for you. Can you please either reply with your cloud server address or send it to me in a DM if privacy is a concern? You will see an outage of 5-15 minutes, is that okay?

Thanks,
Jeremy

richa.khurana (Richa Khurana) 1 June 2020 18:56 10

Hi Jeremy,

Thanks for your response. I dropped an email to support box and Justin Walsh is looking into that.
Thanks for your help again.

Regards,
Richa

jeremy.miller (Jeremy Miller) 1 June 2020 18:57 11

Thanks for the update. Justin will definitely get you going again. Have a good rest of your week.

TFN 2 June 2020 11:11 12

Hi Jeremy,

Looks like we have the same problem from Azure DevOps to Octopus:

Cannot find the project with name or id 'Error: certificate has expired'. Please check the spelling and that you have permissions to view it. Please use Configuration > Test Permissions to confirm.

This error is most likely occurring while executing octo as part of an automated build process. The following doc is recommended to get some tips on how to troubleshoot this: https://g.octopushq.com/OctoexeTroubleshooting

Exit code: -

Can you re-provision our environment as well?

Best regards,
Mark

Edit: Thanks for re-provisioning our environment Paul, this solved the problem.

paul.calvert (Paul Calvert) 2 June 2020 11:12 13

Hi @TFN,

We’ll need your instance name to be able to reprovision it.
The reprovision will involve about 10 minutes of downtime, are you happy for us to go ahead and do this straight away?

Regards,
Paul

rutger (Rutger) 2 June 2020 13:44 15

We’ve got the same issue. I’ve sent you a DM with our instance name, Paul – thanks in advance for reprovisioning!

Edit: Thanks Paul, all good now!

paul.calvert (Paul Calvert) 2 June 2020 14:37 16

If anybody else runs into this issue, the quickest way to reach out to us is to email your instance name (xxxxx.octopus.app) to support@octopus.com and advise whether you are happy for the instance to be immediately reprovisioned (around 10 minutes of downtime).

system (system) Closed 25 July 2020 14:20 19

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.