Change tentacle thumprint

Hello,

On my project, we perform on daily basis actions into an Windows AWS EC2 instance using a tentacle. After all the actions are done, we create an AMI that is used later on as a base for our different servers. What we have faced is that when we create a new instance base in the base AMI and we want to perform specific actions using a tentacle, the tentacle has already a thumbprint that is equal to the thumbprint of the base AMI. That is an issue because when we deregister the tentacle we deregister other tentacles with the same thumbprint.

This is the script that we use to configure the tentacles:

choco uninstall octopusdeploy.tentacle -y
choco install octopusdeploy.tentacle -y --version $tentacleVersion

$ipAddress = (Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -ea 0 | ? addressfamily -eq ‘IPv4’).IPAddress
cd “${env:ProgramFiles}\Octopus Deploy\Tentacle”
& .\Tentacle.exe create-instance --instance “Tentacle” --config $tentacleConfigFile --console
& .\Tentacle.exe new-certificate --instance “Tentacle” --if-blank --console
& .\Tentacle.exe configure --instance “Tentacle” --trust $octopusServerThumbprint --console
& .\Tentacle.exe configure --instance “Tentacle” --home $tentacleHomeDirectory --console
& .\Tentacle.exe configure --instance “Tentacle” --app $tentacleAppDirectory --console
& .\Tentacle.exe configure --instance “Tentacle” --port $tentacleListenPort --noListen “True” --console
& .\Tentacle.exe register-with --instance “Tentacle” --server $octopusServerUrl --environment $environment --role $role --name $env:COMPUTERNAME --publicHostName $ipAddress --apiKey $apiKey --comms-style TentacleActive --policy ‘Time&Roster Automatic machines clean up’ --force --console
& .\Tentacle.exe service --instance “Tentacle” --install --start --console

We use the next command to deregister the tentacle once all the needed actions are performed

cd “${env:ProgramFiles}\Octopus Deploy\Tentacle”
& .\Tentacle.exe deregister-from --instance “Tentacle” --server $OctopusParameters[“Tentacle.OctopusServerUrl”] --apiKey $OctopusParameters[“Tentacle.ApiKey”] --multiple --console

Which would be the best way to handle this situation? could be possible to modify the thumbprint of the new servers?

I tried using the new-certificate command without the --if-blank option as indicated below

& .\Tentacle.exe new-certificate --instance “Tentacle” --console

However, when I do this, the register command did not work and we have the next error

Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-45fe21a0-a24c-4db6-a139-ac3933a1c555’.
System.IO.DirectoryNotFoundException: Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-45fe21a0-a24c-4db6-a139-ac3933a1c555’.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.File.InternalDelete(String path, Boolean checkHost)
at Octopus.Shared.Security.Certificates.CertificateEncoder.DoFromBase64String(String thumbprint, String certificateString, X509Store store) in Y:\Work\refs\tags\3.3.26\source\Octopus.Shared\Security\Certificates\CertificateEncoder.cs:line 108
at Octopus.Shared.Configuration.TentacleConfiguration.get_TentacleCertificate() in Y:\Work\refs\tags\3.3.26\source\Octopus.Shared\Configuration\TentacleConfiguration.cs:line 97
at Octopus.Tentacle.Commands.RegisterMachineCommand.Start() in Y:\Work\refs\tags\3.3.26\source\Octopus.Tentacle\Commands\RegisterMachineCommand.cs:line 65
at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in Y:\Work\refs\tags\3.3.26\source\Octopus.Shared\Startup\AbstractCommand.cs:line 58
at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime) in Y:\Work\refs\tags\3.3.26\source\Octopus.Shared\Startup\OctopusProgram.cs:line 221
at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in Y:\Work\refs\tags\3.3.26\source\Octopus.Shared\Startup\ConsoleHost.cs:line 72
at Octopus.Shared.Startup.OctopusProgram.Run() in Y:\Work\refs\tags\3.3.26\source\Octopus.Shared\Startup\OctopusProgram.cs:line 94

Could you please with this case?

Thank you very much in advance.

Hi Daniel,
Thanks for getting in touch! I’m sorry to hear you are seeing issues with duplicate Tentacle thumbprints when creating new EC2 Instances from AMIs where a Tentacle has previously been installed and removed.

When the Octopus Tentacle Manager creates a new Tentacle Instance, it also generates a unique per-machine certificate, located in your C:\Octopus\Tentacle.config file, under “Tentacle.Certificate”.

Normally when the Octopus Tentacle Manager removes a Tentacle Instance, it will leave the Tentacle.config file on disk, preserving the Tentacle.Certificate. I believe you could be running into a situation where your new Octopus Tentacles are picking up the existing Tentacle.Config file and are using the existing certificate.

One potential option which could help here could be to Manually uninstall the Tentacle, this will ensure that you have no traces of the existing Tentacle Certificate on your clones.

One other option which comes to mind here could be to make use of other automation tools like OctopusDSC to install your Octopus Tentacles directly onto your clones. The documenation I linked is a good place to start, but please feel free to reach out if there are any questions that come out of it.

I’m also interested to see that your new-certificate command has failed. One option here could be to generate a new certificate with the --export-pfx switch. This would allow you to export the certificate to a known location. From here you would be able to use the import-certificate using the output of the PFX file as your --from-file option. For more information on a working example of this procedure, please feel free to check out the documentation on Custom Certificates

Please feel to keep in touch if you have any further questions and I’m interested to know if this has helped.

Kind regards,
Lawrence.

Hello Lawrence.

Thank you very much for your answer. I have tried to remove the previous tentacle configuration by executing this script

#-Delete tentacle instance and windows service
if (Test-Path “${env:ProgramFiles}\Octopus Deploy\Tentacle\Tentacle.exe”)
{
& “${env:ProgramFiles}\Octopus Deploy\Tentacle\Tentacle.exe” show-thumbprint --instance “Tentacle” --console

#Delete tentacle instance
& “${env:ProgramFiles}\Octopus Deploy\Tentacle\Tentacle.exe” delete-instance --console --instance “Tentacle”
}

#-Delete windows service
$TentacleService = Get-WmiObject -Class Win32_Service -Filter “Name=‘OctopusDeploy Tentacle’”
if ( ($TentacleService|Measure-Object).count -ge 1)
{
$TentacleService | ForEach-Object{$.StopService() ; $.Delete()}
}

#-Remove Octopus home folder
if (Test-Path “$env:SystemDrive\Octopus”)
{
Remove-Item -Path “$env:SystemDrive\Octopus” -Force -Recurse
}

#-Remove Octopus registry entries
if (Test-Path -Path “HKLM:\Software\Octopus”)
{
Remove-Item -Path “HKLM:\Software\Octopus” -Recurse
}

#-Remove other Octopus folders
if (Test-Path -Path “$env:ProgramData\Octopus”)
{
Remove-Item -Path “$env:ProgramData\Octopus” -Recurse
}

if (Test-Path -Path “$env:LOCALAPPDATA\Octopus”)
{
Remove-Item -Path “$env:LOCALAPPDATA\Octopus” -Recurse
}

#-Remove certificates
if (Test-Path -Path “Cert:\LocalMachine\Octopus”)
{
Remove-Item -Path “Cert:\LocalMachine\Octopus*” -Recurse
}

if (Test-Path -Path “Cert:\CurrentUser\Octopus”)
{
Remove-Item -Path “Cert:\CurrentUser\Octopus*” -Recurse
}

#-Uninstall tentacle using choco
choco uninstall octopusdeploy.tentacle -y -a

One note is that we are using choco to install the tentacle. After the previous code is executed we use the next one to install and configure the tentacle again

#-Install Octopus Deploy Server
choco install octopusdeploy.tentacle -y --version $tentacleVersion

#Configure Octopus Tentacle
$ipAddress = (Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -ea 0 | ? addressfamily -eq ‘IPv4’).IPAddress
cd “${env:ProgramFiles}\Octopus Deploy\Tentacle”
& .\Tentacle.exe create-instance --instance “Tentacle” --config $tentacleConfigFile --console
& .\Tentacle.exe new-certificate --instance “Tentacle” --if-blank --console
& .\Tentacle.exe show-thumbprint --instance “Tentacle” --console
& .\Tentacle.exe configure --instance “Tentacle” --trust $octopusServerThumbprint --console
& .\Tentacle.exe configure --instance “Tentacle” --home $tentacleHomeDirectory --console
& .\Tentacle.exe configure --instance “Tentacle” --app $tentacleAppDirectory --console
& .\Tentacle.exe configure --instance “Tentacle” --port $tentacleListenPort --noListen “True” --console
& .\Tentacle.exe register-with --instance “Tentacle” --server $octopusServerUrl --environment $environment --role $role --name $env:COMPUTERNAME --publicHostName $ipAddress --apiKey $apiKey --comms-style TentacleActive --policy $machinePolicy --force --console
& .\Tentacle.exe service --instance “Tentacle” --install --start --console

However, it still does not seems to work even when the new certificate has been created. After the new-certificate command the next message was generated

Octopus Deploy: Tentacle version 3.4.0 (3.4.0+Branch.master.Sha.d4504103f2c91984e971b32865aedd3f6007346d)
A new certificate has been generated and installed. Thumbprint:
8449084CFEE5C6566B0CDB01AE39ECC9C16E0F64

Immediately after this I tried to get the new certificate with show-thumbprint but I received the next message.

Octopus Deploy: Tentacle version 3.4.0 (3.4.0+Branch.master.Sha.d4504103f2c91984e971b32865aedd3f6007346d)

Error: Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-90b626b1-8a54-4b47-9622-301622cf6f20’.

Full error details are available in the log files.
At: C:\Windows\system32\config\systemprofile\AppData\Local\Octopus\Logs

Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-90b626b1-8a54-4b47-9622-301622cf6f20’.
System.IO.DirectoryNotFoundException: Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-90b626b1-8a54-4b47-9622-301622cf6f20’.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.File.InternalDelete(String path, Boolean checkHost)
at Octopus.Shared.Security.Certificates.CertificateEncoder.DoFromBase64String(String thumbprint, String certificateString, X509Store store) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Security\Certificates\CertificateEncoder.cs:line 108
at Octopus.Shared.Configuration.TentacleConfiguration.get_TentacleCertificate() in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Configuration\TentacleConfiguration.cs:line 117
at Octopus.Tentacle.Commands.ShowThumbprintCommand.Start() in Y:\Work\refs\tags\3.4.0\source\Octopus.Tentacle\Commands\ShowThumbprintCommand.cs:line 29
at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\AbstractCommand.cs:line 58
at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\OctopusProgram.cs:line 221
at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\ConsoleHost.cs:line 72
at Octopus.Shared.Startup.OctopusProgram.Run() in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\OctopusProgram.cs:line 94
Octopus Deploy: Tentacle version 3.4.0 (3.4.0+Branch.master.Sha.d4504103f2c91984e971b32865aedd3f6007346d)

And the next message was generated after trying to register the tentacle with the command register-with

Octopus Deploy: Tentacle version 3.4.0 (3.4.0+Branch.master.Sha.d4504103f2c91984e971b32865aedd3f6007346d)

Error: Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-5016834d-6662-44da-9a5f-a8772f123e7a’.

Full error details are available in the log files.
At: C:\Windows\system32\config\systemprofile\AppData\Local\Octopus\Logs

Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-5016834d-6662-44da-9a5f-a8772f123e7a’.
System.IO.DirectoryNotFoundException: Could not find a part of the path ‘C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-5016834d-6662-44da-9a5f-a8772f123e7a’.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.File.InternalDelete(String path, Boolean checkHost)
at Octopus.Shared.Security.Certificates.CertificateEncoder.DoFromBase64String(String thumbprint, String certificateString, X509Store store) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Security\Certificates\CertificateEncoder.cs:line 108
at Octopus.Shared.Configuration.TentacleConfiguration.get_TentacleCertificate() in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Configuration\TentacleConfiguration.cs:line 117
at Octopus.Tentacle.Commands.RegisterMachineCommand.Start() in Y:\Work\refs\tags\3.4.0\source\Octopus.Tentacle\Commands\RegisterMachineCommand.cs:line 71
at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\AbstractCommand.cs:line 58
at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\OctopusProgram.cs:line 221
at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\ConsoleHost.cs:line 72
at Octopus.Shared.Startup.OctopusProgram.Run() in Y:\Work\refs\tags\3.4.0\source\Octopus.Shared\Startup\OctopusProgram.cs:line 94

I still have to try using the export and import option but maybe all this information can give you ay clue of which can be the problem. Might be that the user used when running the script lack some kind of permissions? The script is running as part of the userdata script when initializing a Windows AWS EC2 instance. The interesting fact is that is I connect to the instance as Administrator I am able to execute the command “show-thumbprint --instance “Tentacle” --console” and get the thumbprint.

Could the root of the issue be in the version of tentacle we are using (3.4.0)?

Thank you very much in advance for your help.

Hi Daniel,
Thanks for getting in touch!I’m very sorry for the late reply in getting back to you! Based on your error messages it sounds like we are running into issues accessing the temp path, eg:

C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Octo-5016834d-6662-44da-9a5f-a8772f123e7a

It could be possible that we might be running into this when calling the tentacle.exe commands from the Local System account.

Would it be possible if we could test this procedure by running each of the tentacle.exe commands as a local user on the system?

I look forward to hearing if you are still running into these problems as a local user.

Kind regards,
Lawrence.

Hello Lawrence,

Thank you very much for your answer. We decided to use a workaround and we are not reusing any AMI anymore. Therefore we do not have anymore instances with he same thumbprint during deployment and we are not having this issue anymore. This does not solve the root of the problem we were having but we have dedicated already a good amount of time and we needed to have it working already.

Thank you for the time you dedicate to answer.

Best regards,
Daniel

Hi Daniel,
Thanks for keeping in touch and letting us know that you are using a workaround. I’m sorry to hear we were unable to get to the root cause.

Please feel free to keep in touch if you need to revisit this in the future!

Kind regards,
Lawrence.