Deployment Target-scoped certificate variable set prevents deployment

usability
(Jdtibbetts) #1

Steps to reproduce:

  1. Create certificates for multiple deployment targets
  2. Create a variable set in Octopus with variable type certificate
  3. Add more than one certificate value
  4. Define the scope of each value to a different deployment target.
  5. Include variable set from 2 in a project
  6. Create a release and try and deploy to tenant that includes deployment target from 4.

The result :

Test is not authorized to use certificate ‘MyCert’. It is referenced by variable ‘FDQNCert’. Once you have corrected these problems you can try again. If the problem is related to a variable you will need to update the variables for this release or recreate the release for the changes to take effect. If the problem is related to the deployment process you will need to create a new release for the changes to take effect.

(Kenneth Bates) #3

Hi @jdtibbetts,

Thanks for getting in touch! Sorry to hear you’ve hit this confusion! I haven’t been able to reproduce this behavior however. I suspect what might be the cause of this unexpected behavior is that the certificate hasn’t been explicitly given access to the tenant. When adding a new certificate, you need to include it in tenanted deployments, and select which individual tenants the certificate can be associated with. The screenshot below shows this configuration.

Is that the missing piece in your scenario? If you’re still hitting this issue after confirming that, can you let me know which Octopus version you’re currently running?

I hope this helps, and I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #4

Thanks for replying so quickly Kenny. That was not the issue. The certificates are associated with the tenants. We are using Octopus version v2019.6.8

Here are the certs with their associated tenants.

Here is the variable set that uses those certs.

In the project we include the Library variable set.

Then when trying to deploy the project to the associated tenant in this case Tank7-Octo-Dev, it is trying to reference certificate RD-JTIBBETTS2 even though it is not associated with tenant Tank7-Octo-Dev.

It seems like the scoping of the certificates in the Library Set is not working as expected.

(Kenneth Bates) #5

Hi @jdtibbetts,

Thanks for following up and clarifying that additional information on your setup. I’ve been able to reproduce this behavior, though only when my tenant is assigned to both machines (that both of the values for this certificate variable are scoped to). In this case, it’s the intended behavior as targeting this tenant deploys to both machines, meaning both certificate variables are valid, but only one certificate is scoped to the target tenant. Is that the same cause of this issue in your case as well?

I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #6

Hi Kenny,

The tenant is not assigned to both machines. In fact, each tenant in this case is only assigned to 1 machine.

I appreciate your help. If there is any other information I can provide please let me know.

Thanks

(Kenneth Bates) #7

Hi @jdtibbetts,

Thanks for keeping in touch and confirming that about your setup. That being the case, I’m honestly stumped at this point as your configuration seems perfect and works as we both expect in my local testing. Is it at all possible you could attempt an upgrade to a later LTS release to see if that alone fixes it? This may be an edge case to some bug that’s been fixed since 2019.6.8 (maybe this similar one around certificates and tenant variables).

I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #8

Hi Kenny,

I’ve upgraded to 2019.9.7 LTS and I see the same issue. To simplify matters I changed to using a project variable instead of Library variable sets and I still see the issue. Scoping certificate variables by deployment target only requires all tenants to be authorized to use all certificates.