Connecting Octopus tentacle (in docker)

Octopus Server
, ,
1

Hi,

I’m trying to deploy a service that lives behind a vpn. I thought an option around this would be to deploy a tentacle inside the VPN to do the actual deploying of the application.

I’ve set up the octopus tentacle container (in aks) in polling mode. The octopus server is also in kubernetes, I created a separate ingress resource on a diff domain and i’m forwarding 443 to 10943 with ssl passthrough (not terminated by the ingress).

So far so good, I am seeing the correct cert when i browse to it.

However the tentacle isn’t happy.

[octopus-tentacle-7758646474-9t98v octopus-tentacle]  Certificate subject name: CN=Octopus Portal
[octopus-tentacle-7758646474-9t98v octopus-tentacle]  Certificate thumbprint:   2756CF60248D7D0FAF97D43C2AE15B9015DEBA93
[octopus-tentacle-7758646474-9t98v octopus-tentacle]  The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

This goes on for a while then the process exits. The thumbprint shown is the correct thumbprint.

In an effort to resolve this i modified configure-tentacle.sh and added this:
if [[ ! -z “$SERVER_THUMBPRINT” ]]; then
echo “Setting server thumbprint …”
tentacle configure --instance “$instanceName” --trust="$SERVER_THUMBPRINT"
fi

after the reset (as well as defined the new env var). Made no difference.

3

Hi @critchley.sj,

Thanks for getting in touch! I’ve seen this issue pop up for a couple different reasons. If there’s an intermediate certificate in the chain that’s expired, or with your SSL passthrough perhaps it’s affecting the required one-time use of port 443 for Tentacle to actually register. Port 443 is needed to use the Octopus API to add the Tentacle to the server, and is only required for this initial setup. I’m wondering if either of those scenarios is applicable here?

If not, would you be willing to send through the full log file which includes this error? I think the full context around it will help us get a better understanding on what’s going on. :slight_smile:

I look forward to hearing back!

Best regards,

Kenny

4

Hi Kenneth,

I was capping stdout. I’ve got octopus server listening on somedomain.example.com:443 and i have the tentacle port open at somedomain-tentacles.example.com:443. It sounds like your saying I must have them both on the same domain?

Note this log has the output from my extra trust command in it.

[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] ===============================================
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Configuring Octopus Deploy Tentacle
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - server endpoint ‘https://us-octopus-tentacles.drawboard.com
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - api key ‘##########’
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - communication mode ‘Polling’ (Active)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - server port 443
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - environment ‘DEV,QA’
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - role ‘Server’
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] - host ‘ComputerName’
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] ===============================================
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Creating empty configuration file: /etc/octopus/tentacle.config
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Saving instance: Tentacle
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Setting home directory to: /etc/octopus
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Setting directory paths …
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Application directory set to: /home/Octopus/Applications
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] These changes require a restart of the Tentacle.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Configuring communication type …
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Tentacle will not listen on a port
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] These changes require a restart of the Tentacle.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Updating trust …
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Removing all trusted Octopus Servers…
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] These changes require a restart of the Tentacle.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Creating certificate …
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] A new certificate has been generated and installed. Thumbprint:
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] 33F088777810F5BE5AFA9194F426479E72CFF1F0
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] These changes require a restart of the Tentacle.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Setting server thumbprint …
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Adding 1 trusted Octopus Servers
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] These changes require a restart of the Tentacle.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Registering with server …
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Registering Tentacle with api key
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Checking connectivity on the server communications port 443…
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Connected successfully
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Registering the tentacle with the server at https://us-octopus-tentacles.drawboard.com/
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Detected automation environment: NoneOrUnknown
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate subject name: CN=Octopus Portal
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate thumbprint: 2756CF60248D7D0FAF97D43C2AE15B9015DEBA93
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

THIS REPEATS A LOT, REMOVED SOME FOR BREVITY

[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate subject name: CN=Octopus Portal
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate thumbprint: 2756CF60248D7D0FAF97D43C2AE15B9015DEBA93
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate subject name: CN=Octopus Portal
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate thumbprint: 2756CF60248D7D0FAF97D43C2AE15B9015DEBA93
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] The following certificate errors were encountered when establishing the HTTPS connection to the server: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate subject name: CN=Octopus Portal
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Certificate thumbprint: 2756CF60248D7D0FAF97D43C2AE15B9015DEBA93
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] ===============================================================================
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Unable to connect to the Octopus Deploy server. See the inner exception for details.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] System.Exception
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Client.OctopusAsyncRepository.LoadRootDocumentInner()
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Client.OctopusAsyncClient.Create(OctopusServerEndpoint serverEndpoint, OctopusClientOptions options, Boolean addHandler, String requestingTool)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Client.OctopusAsyncClient.Create(OctopusServerEndpoint serverEndpoint, OctopusClientOptions options)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Tentacle.Commands.OptionSets.OctopusClientInitializer.CreateClient(ApiEndpointOptions apiEndpointOptions, IWebProxy overrideProxy) in OctopusClientInitializer.cs:line 17
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Tentacle.Commands.RegisterMachineCommandBase1.StartAsync() in RegisterMachineCommandBase.cs:line 110 [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Tentacle.Commands.RegisterMachineCommandBase1.Start() in RegisterMachineCommandBase.cs:line 80
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Shared.Startup.ConsoleHost.Run(Action1 start, Action shutdown) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Shared.Startup.OctopusProgram.RunHost(ICommandHost host) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Shared.Startup.OctopusProgram.Run() [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] --Inner Exception-- [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] The SSL connection could not be established, see inner exception. [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] System.Net.Http.HttpRequestException [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) [octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Client.OctopusAsyncClient.DispatchRequest[TResponseResource](OctopusRequest request, Boolean readResponse)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Client.OctopusAsyncClient.Get[TResource](String path, Object pathParameters)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at Octopus.Client.OctopusAsyncRepository.LoadRootDocumentInner()
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle]
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] --Inner Exception–
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] The remote certificate is invalid according to the validation procedure.
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] System.Security.Authentication.AuthenticationException
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] -------------------------------------------------------------------------------
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Terminating process with exit code 100
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Full error details are available in the log files at:
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] /etc/octopus/Logs
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] Octopus/Logs
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] If you need help, please send these log files to Octopus Deploy Help & Support - Octopus Deploy
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle] -------------------------------------------------------------------------------
[octopus-tentacle-5b966b69d9-xbc58 octopus-tentacle]

5

You can have a look at the cert by browsing to https://us-octopus-tentacles.drawboard.com

8

Hi @critchley.sj,

Unfortunately, it’s not really designed for the polling server and the Octopus server to have different URLs.

I am going to reach out internally and see if there’s a method we can get this to work for you.

Best,
Jeremy

10

Hi @critchley.sj,

I appreciate your patience as we discussed this one with some of my team. Here’s a rundown of our conversation.

The issue looks to be that the Tentacle needs to reach out to the Octopus API to register itself, and then connect to the same hostname to initiate polling. By defining the server endpoint as https://us-octopus-tentacles.drawboard.com, the attempts to connect to the API are probably failing, because port 443 on that hostname is the Tentacle port, not the HTTP API port. The server endpoint needs to support both access to the API and to the polling Tentacle port, you can’t split them up with different hostnames.

We’re assuming you’re using an NGINX ingress controller? The issue with most ingress controllers (including NGINX) is that they assume they are serving HTTP traffic, so open ports 443 and 80, but don’t expose an option to forward a third port (like the polling port 10943).

At the end of the day, the feedback is that the easiest solution would be to not use an ingress controller. By using a plain load balancer service to expose Octopus, you could expose all the ports you need individually.

Alternatively, you could in theory deploy a second NGINX ingress controller that exposed port 10943 as the HTTPS port, in addition to the first that exposed ports 80 and 443 for the API and portal. Then the load balancer created for the original ingress controller needs additional rules to pass traffic through on port 10943. There’d be 1 public load balancer, with one DNS name, forwarding traffic on ports 80, 443, and 10943.

I hope this helps. Let me know what you think or if you have any follow up questions.

Best regards,

Kenny

11

Hi Kenny,

Thanks for your reply. Using a load balancer means I can’t (afaik) leverage the lets encrypt cert issuer that I use with ingress. To your second suggestion, I dont think I can deploy a second ingress controller that listens to the same domain name as they are configured to point to the external ip of the specific ingress service.

Thanks for you time. I spent 4 hours with ms support (their docs were wrong) and managed to get an ike vpn client working on the octopus host. I have the deployment process start and stop the vpn so I can reach the kubernetes instance. A little more complexity than I would have preferred but it works.

I’m not sure what the specific “need” is to be the same hostname other than thats how it was built. It would be great to see a first class solution for a kubernetes hosting environment in the future.

Thanks

13

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.