CRL/OCSP lookups and akamai URL hits from Octopus and Tentacles

Hi,

I emailed this to support 8 days ago and hadn’t received any response, and am an impatient fellow, so I thought it isnt a bad topic to have in public discussion anyway as other users must also be running into it.

Basically as documented here and here, we are having issues with Octopus Server and Tentacles on servers without internet connection, attempting to make connections to internet resources and causing the tentacle to lockup/restart itself, hindering the discovery process.

http://docs.octopusdeploy.com/display/OD/Troubleshoot+Listening+Tentacles

TCPView shows the following communication attempts from Tentacle.exe (and more similar ones from svchost.exe)

Tentacle.exe:6776           TCP        server.company.com:56239 a23-209-183-17.deploy.static.akamaitechnologies.com:http  SYN_SENT           
Tentacle.exe:6776           TCP        server.company.com:56241 a23-209-183-19.deploy.static.akamaitechnologies.com:http  SYN_SENT           
Tentacle.exe:10728         TCP        server.company.com:56249 ocsp.comodoca.com:http            SYN_SENT                
Tentacle.exe:10728         TCP        server.company.com:56251 crl.comodoca.com:http SYN_SENT           

The octopus documentation (and the above forum post) mentions disabling “Check publishers certificate revocation” in Internet Explorer advanced security options. I just wanted to mention that this is a per user setting so unless you run your tentacle under a service account and logon with that service account to set the IE setting, doing it in IE doesnt realy do much.

We run our tentacles under LocalSystem account (default installation setup) but luckily you CAN set this same IE option via the registry, using the special SID of the LocalSystem account.

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Original Value (Enables CRL Checking): "State"=dword:00023c00
New Value (Disables CRL Checking):  "State"=dword:00023e00

I found this information here: https://social.technet.microsoft.com/Forums/exchange/en-US/1a89fff4-da6e-4055-be04-2e52af3ee76e/disable-crl-check-for-exchange-servers-without-internet-access?forum=exchange2010

So after doing this, the CRL and OCSP attempts no longer occur, so this has indeed removed those “check for publisher certificate revocation”. It would be a good idea to update the doco etc with this information about how to set that reg key for LocalSystem account

Unfortunately though, the attempts to hit those 2 akamai URL are still occuring and this is still causing the tentacle problems where it restarts itself and thus affects the communication between server and tentacle (it seems to mostly impact the discovery/add tentacle process, once they are connected they seem to stay connected).

Please can you help identify what is this attempt to communicate to these 2 akamai URLs and how can we remove it? I guess it might be either dotnet framework or some other components attempting to do auto updates or some other type of phone home. There really needs to be a way to stop this from happening, otherwise the tentacle.exe times out trying to hit it, and restarts itself, meanwhile the “Add new Tentacle” discovery process gets timeouts or connection refused errors.

Tentacle.exe:12748         TCP        server.company.com:59677 a23-209-183-17.deploy.static.akamaitechnologies.com:http  SYN_SENT           
Tentacle.exe:1692           TCP        server.company.com:59685 a23-209-183-19.deploy.static.akamaitechnologies.com:http  SYN_SENT           

If Support or any other users can confirm they also see this, and more so can indicate a solution, it would be awesome.

Thanks

The formatting got a bit messed up but just to clarify, the 2 akamai URLs are

a23-209-183-17.deploy.static.akamaitechnologies.com
a23-209-183-19.deploy.static.akamaitechnologies.com

Hi Ryan,

I just replied to your email to support (sorry, should have checked Tender first). Hope that helps!

Paul

To update those following at home, Paul suggested the akamai hits might be related to windows attempting to update certificates and that was spot on!

There is a Group Policy that can be used to disable this:

gpedit.msc
Administrative Templates > 
System > 
Internet Communication Management > 
Internet Communication settings >
Turn off Automatic Root Certificates Update >
ENABLED

After doing this and monitoring with TCPView we no longer see any outbound internet comms from OctopusServer.exe and Tentacle.exe

So to summarise, if you are in a non internet accessible server, you need to disable publisher certificate revocation checking (via the registry for the LocalSystem account) and use Group Policy to “Turn off automatic root certificates update” in order to stop these internet connection attempts being made by Microsoft/dotnet framework

Thanks

Hi Ryan, glad you managed to find the answer and thanks for sharing!

Paul