Could not create SSL/TLS secure channel

Hi All,

This is a continuation of the chain “Enabling Tentacle failed

We were using Microsoft tentacle during our Scaleset deployment via Octopus. As its been depricated we are trying to use Octopus DSC.

We have downloaded the Zip file into a Storage account as instructed in “Installing the Tentacle via DSC in an ARM template - Octopus Deploy

But we received the below error when trying to run the deployment via Octopus.

19:43:32 Error | Status Message: {“status”:“Failed”,“error”:{“code”:“ResourceDeploymentFailure”,“message”:“The resource operation completed with terminal provisioning state ‘Failed’.”,“details”:[{“code”:“VMExtensionProvisioningError”,“message”:"VM has reported a failure when processing extension ‘dscExtension’. Error message: "DSC Configuration ‘OctopusTentacle’ completed with error(s). Following are the first few: PowerShell DSC resource cTentacleAgent failed to execute Set-TargetResource functionality with error message: The request was aborted: Could not create SSL/TLS secure channel. The SendConfigurationApply function did not succeed."\r\n\r\nMore information on troubleshooting is available at Azure Desired State Configuration Extension Handler - Azure Virtual Machines | Microsoft Learn "}]}}

ServerTasks-225308.log.txt (43.4 KB)

Good afternoon @nsidsri,

Thank you for contacting us about the DSC issue, I read the previous forum post you linked and have spoken to one of my collegues to get some options on where best to start troubleshooting this issue.

From what I can see you have this in your error log -

Could not create SSL/TLS secure channel

I think this is where we need to put our focus to as if your servers cannot talk to each other through SSL/TLS you are never going to get a connection regardless of how your DSC configuration is set up.

The first thing I would do here is try installing and configuring a standard Octopus Listening Tentacle on your target VM and see if that registers in the Octopus UI and passes a health check, if it does not and gives you the SSL/TLS error we have a number of ways you can troubleshoot this. It seems you might be using a gold image or baseline image you spin up your VMs from? If so, you either need to spin up a VM then install the Listening Tentacle manually to perform those tests or you need to install the tentacle on your gold or baseline image you use to spin up your VMs. I suggest spinning up a VM to test this on and leave your baseline VM image alone for now whilst we test this.

Let us know how that test goes as we can direct you to various troubleshooting tools if you get the SSL/TLS secure channel error with a standard listening tentacle install and health check via the Octopus UI. If the listening tentacle installs fine and passes the health check in the Octopus UI we can take a look at your DSC configuration.

I look forward to hearing from you,

Kind Regards,
Clare

Thank you very muh for looking into this quickly Clare.

First we spun up a VM and installed the Octopus DSC using [(Download Octopus Tentacle - Octopus Deploy) . We add the VM’s IP as our deployment target in octopus and it passed the health check but when we try to run it via Octopus pipeline we get the TLS error. Please advice how can we proceed on this.

Also while creating the Base image we tried to enable Edge thinking that would help but no progress.

Note : One point we noticed is the octopus service stops in between the process and we had to restart it to proceed with the steps

Hey @nsidsri,

Sorry it has taken a while to get back to you, thank you for letting us know a standard listening tentacle installed directly works and passes a health check in Octopus, it looks like your SSL and TLS protocols match the Octopus server which is great news.

As for the issue with DSC, I am going to look into what we do when we are calling SendConfigurationApply:

The SendConfigurationApply function did not succeed

And am going to reach out to our Solutions team who are very knowledgeable on DSC to see if there is any reason why this would fail when running through DCS and not by installing manually.

I will get back to you once I have some answers but it may be tomorrow morning as I am due to leave for the day and the other team may not be able to answer directly on this forum post.

I will get you an update tomorrow morning UK time and sorry we have not gotten to the bottom of this just yet.

Kind Regards,
Clare

Hey @nsidsri,

Sorry it has taken a while to get back to you on this one, our other team have responded saying they are not very familiar with DSC so I have redirected my query to the developers responsible for DSC to see if they have any ideas.

One idea our other team did have was that perhaps PowerShell is using a different protocol when you are running the tentacle install through DSC. Octopus uses TLS 1.2 by default and the manual install of the listening tentacle you did earlier would have used TLS 1.2.

I am wondering if you could force PowerShell to use TLS 1.2 for your DSC setup by placing the below into your PowerShell console before running your DSC code (if you are using PowerShell which I assume you are)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

This code is well documented online as a way to force PowerShell to use TLS 1.2 so it will be safe to use on your target machine if your company policy allows. Note that this will only change it for that PowerShell session, so it will not change the protocols on your target permanently.

I am not sure where you would need to force that through, I assume it would be on the deploy of the template using Azure as that is the main powershell command you need to execute the DSC configs and .ps1 files, considering forcing that through only happens for that session you could test this out by manually pasting it into the session first then running the template deploy, if that works you can add it to the script you (I assume) have created and it will then run on every script run.

Let me know how that goes, if that does not work I will ask the developers if you do need to force that and where.

Kind Regards,
Clare

Hey @nsidsri,

Just a quick update as one of our engineers just got back to me saying he has played with DSC recently and ran into the same TLS issue, he put the command below:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

At the start of the config file and that worked for him so just letting you know that might be a good place to put that command rather than at the start of the deploy of the template using Azure.

Let me know how that goes,

Kind Regards,
Clare

Thank you so much Clare. We will try this Powershell script and keep you posted with the update.

Thanks once again for all your help :slight_smile:

1 Like

After checking the file CTentacleAgent the Tls12 is already present and for reference have uploaded the file. Please check and advice where at the start of the config file we need to try putting “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12”

cTentacleAgent.psm1 (50.5 KB)

Hi @nsidsri

I’m just stepping in for Clare as she is on internal training this week.

Looking at your script file, this particular line will need to go in one of the functions, or the main function that is run, that get called before the API call. As long as it is before the API call itself it should setup the security protocol to be TLS 1.2.

Kind Regards
Sean

Hi Sean,

We have put the TLS code snippet at the beginning of the PS script, but still no luck. Placing the entire DSC code for reference. Kindly advice on where have we gone wrong in placing the TLS snippet.

OctopusDSC.4.0.1131.zip (156.2 KB)

We are following the steps provided in this link: Installing the Tentacle via DSC in an ARM template - Octopus Deploy

Thanks & Regards,
Hema

Hi Hema,
Just stepping in for Sean who is offline at present.

Following Sean’s recommendation, in the cTentacleAgent.psm1, I believe you can place this code after the join-path command. You could also put it in the OctopusDSCHelper.ps1 file as its loaded in that join-path command.

I would try that first and let us know if it works for you. I note as well that we have a blog post on using DSC to bootstrap tentacles which you might find useful:

Kind regards,

Hi Paraic,

Thanks for looking into this issue. Before checking into Bootstrap we are planing to create a Baseline image along with the Octoups tentacle. As part of our pipeline we have a step that creates a VM from baseimage along with DSC tentacle but now as we have the tentacle already in the baseimage we need a step that just creates a VM from base image. We are in search of a similar step, it would be helpful if you could guide us .

Hi @nsidsri

Since we don’t know what hosts the VM this isn’t something we’ll be able to advise on. If it is hosted in Azure, we don’t have a step for this, but the Az CLI should have the necessary commands to script this.

Also, just to note, we would not recommend creating a base image with a Tentacle setup inside of it as that will duplicate the Tentacle settings between all the images, most likely causing issues. It would be better to have the base image, and then have an extra script to install and configure the Tentacle. This would also give you the latest Tentacle as well.

Kind Regards
Sean

1 Like

Thanks for your recommendation Sean. We will then plan accordingly then

1 Like

Thank you every one. We were able to temporarly fix this issue.

Special thanks to @clare.martin . Your idea actual worked.

Once the VM is created we installed the tentacle manually and deployed the code for now.

Thank you all for your support. You all were very helpful

Hey @nsidsri,

Amazing news you got this working, that’s made my Friday! No need to thank us (though it is appreciated!) we are always here to help, this was a collective effort between you and us so thank you for testing and trying to implement all of our suggestions, we got there in the end!

If you need anything in future please reach out!

Kind Regards and Happy Deployments,
Clare

Hi All,

We have one more server where the an old version of octopus Tentacle manager was installed. I removed and reinstalled a new version now but am not able to connect my octopus tool and this server .

The error we get when we try to connect the deployment to the destination server :

“Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond”

I tried to do a telnet between octopus server and the deployment server and it worked. It would be great if you could check and help on this.

Please find the logs for reference :

OctopusTentacle.txt (15.9 KB)

Hi @nsidsri
Thanks for the Tentacle log file.

At first glance it looks like there may be another instance of the tentacle already installed an running on the target. Is this something you can check?

The error for a socket already in use is fairly clear on that score:

System.Exception: A required communications port is already in use. The required port is being used by another process. The Windows netstat -o -n -a command can be used to show which process this is (compare PIDs with those shown in Task Manager). See: Cannot start server service · Issue #313 · OctopusDeploy/Issues · GitHub —> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted

You can run that netstat command above to check the ports and what’s using it.

A recommendation would be to re-install the Tentacle but before that, to do a full manual uninstall to make sure any old installs are fully removed:
https://octopus.com/docs/administration/managing-infrastructure/tentacle-configuration-and-file-storage/manually-uninstall-tentacle

The telnet would have worked because the socket is active with the other installation but not the one you are trying to link to the Octopus server.

Let us know if this works for you.

Kind regards,
Paraic

Hi Paraic,

Thank you so much for your quick reply, I did try uninstalling the Tentacle manually using the given step. Did a Netstat to make sure there are no connection listing in that port. Rebooted the server and installed the tentacle. version - 6.2.277.

Again got the same error (Attaching the logs for reference)
OctopusTentacle.txt (9.4 KB)

Could you please advice if we still have the socket issue .

Hey @nsidsri,

Thank you for those logs you sent through, the last log looks fine though and you are not seeing any connection issues in that log.

Are you now seeing a successful health check for that tentacle in the Octopus UI?

If so I would be confident to say, based on the recent logs you sent over, that you are no longer getting that socket issue on that tentacle.

Let me know if the health check fails though and if it does send us the health check logs task through from the Octopus Server and we can take a look.

Kind Regards,
Clare