Could not connect to SSH endpoint: Unable to obtain endpoint fingerprint

Hello. I’m trying to register a Linux host with SSH key pair and I get error when check health

Starting health check for a limited set of machines. 
December 6th 2022 13:17:15Info
Performing health check on 1 machine. 
December 6th 2022 13:17:15Fatal
The health check failed. One or more machines were not available. 
Check deployment target: by1-pgsql-01
Ran for 0 seconds
December 6th 2022 13:17:15Fatal
Could not connect to SSH endpoint: Unable to obtain endpoint fingerprint. Please try enter details manually.
Unable to obtain endpoint fingerprint. Please try enter details manually. 
Ran for 0 seconds
December 6th 2022 13:17:15Info
December 6th 2022 13:17:15Info
 - by1-pgsql-01 at ssh://by1-pgsql-01:2200/, error: Could not connect to SSH endpoint: Unable to obtain endpoint fingerprint. Please try enter detail... 
December 6th 2022 13:17:15Fatal
One or more machines were not available. Please see the output Log for details. 

I did according to the instructions

and Linux targets - Octopus Deploy
How to solve it?
Host: Ubuntu 22.04

Good morning @licenses2,

Thank you for contacting Octopus Support and welcome to the forums, sorry to hear you are having trouble connecting to one of your SSH targets.

What version of Octopus are you running and have you setup the key with ed25519 or rsa?

From Octopus 2021.1.7466 , Octopus supports newer ED25519 SSH keys. For older versions, and legacy compatibility, you would need to use the RSA key.

The first thing to try would be to enter the details in manually of the target and see if the health check passes:

You can retrieve the fingerprint of the default key configured in your sshd_config file from the target server with the following command:

ssh-keygen -E md5 -lf /etc/ssh/ | cut -d' ' -f2 | awk '{ print $1}' | cut -d':' -f2-

This is if you have setup a ed25519 key.

The other things to check are whether the port you have chosen to set the SSH target to listen on (default of 22) is open on the SSH target and is listening. Your networking team should be able to confirm that.

Did you copy the private key to the machine your Octopus Server is installed on and then use that for the SSH account?

Sorry to throw a few things at you, SSH targets can be complex to fault find on so I do appoligise for the multiple questions.

I look forward to hearing from you,

Kind Regards,

Octopus verision: 2022.2 (Build 7580)

  1. i used both ssh key options.
  2. I also used “Enter Details Manually” and inserted the fingerprint received by the command:
    ssh-keygen -E md5 -lf /etc/ssh/ | cut -d’ ’ -f2 | awk ‘{ print $1}’ | cut -d’:’ -f2-
  3. ssh port is available and listening. Checked with telnet
  4. I didn’t copy the ssh key to the octopus server. I copy in my machine and create Account via GUI and choose private key.
    If I need to copy and install the ssh key on the octopus server, where should I put it? Octopus Server runinig on Windows Server

Hey @licenses2,

Sorry its taken a long time to get back to you, I was doing some tests and my Linux box was not playing ball!
As you are on 2022.2.7580 you should be fine to use the ed25519 key. I just wanted to make sure you were not on an older version as the ed25519 key would not have worked if you were.

I just ran through our documentation from scratch on my Linux box and created the key, when it says ‘upload to the Octopus Server’ or ‘Copy the key to the Octopus Server’ it just means via the Octopus UI so its fine if you uploaded it from your Linux box into the SSH Account section in the UI.

Did you upload the private key into the Account section? The one named ‘id_ed25519’

What did you put down as the username, is it the same username you created the key with?

Does Octopus actually register the SSH Target (ie when you set it up it allows you to find it and you can see the thumbprint etc) but then the health check fails?

If you know your SSH Account in the Octopus UI is correct (username/key/passphrase of key) then I would think about possibly deleting that SSH target in Octopus, deleting all keys from the SSH target itself and start fresh.

I will make sure we discuss this ticket in our Support meeting and see if any other of our Support staff have any other ideas.

I looks forward to hearing from you,

Kind Regards,

Hey @licenses2,

Sorry for the double post but as promised I mentioned this post in our Support meeting and one of our other engineers said it looks like Octopus cant actually connect to the SSH target.

I was wondering if you can see a connection attempt being logged in the sshd logs on the target, if you run the command below does it output anything?

journalctl -u ssh

I look forward to hearing from you,

Kind Regards,

Thanks for your help.
Looked at journalctl -u ssh and saw the following errors:

Unable to negotiate with port 50724: no matching MAC found. Their offer: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96>
by1-pgsql-03 sshd[2917721]: error: kex_exchange_identification: client sent invalid protocol identifier "\003\003\003\004"
by1-pgsql-03 sshd[2917721]: banner exchange: Connection from port 50796: invalid format
by1-pgsql-03 sshd[2918394]: Connection reset by authenticating user job-odeploy port 50828 [preauth]

Next, I commented out the line in the ssh config and everything worked.


Thank you.

1 Like

Hey @licenses2,

Fantastic news you got this working, thank you for posting up the fix too as it will help other customers who might run into this issue.

I did not know about that journal command until our lead support engineer mentioned it so I will keep that in my back pocket too as its good for troubleshooting issues such as this, thank you for your patience whilst we worked through this together.

Reach out in future if you need anything else as we love to help here over at Octopus Support!

Kind Regards and Happy Deployments,


1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.