Create certificates for multiple deployment targets
Create a variable set in Octopus with variable type certificate
Add more than one certificate value
Define the scope of each value to a different deployment target.
Include variable set from 2 in a project
Create a release and try and deploy to tenant that includes deployment target from 4.
The result :
Test is not authorized to use certificate ‘MyCert’. It is referenced by variable ‘FDQNCert’. Once you have corrected these problems you can try again. If the problem is related to a variable you will need to update the variables for this release or recreate the release for the changes to take effect. If the problem is related to the deployment process you will need to create a new release for the changes to take effect.
Thanks for getting in touch! Sorry to hear you’ve hit this confusion! I haven’t been able to reproduce this behavior however. I suspect what might be the cause of this unexpected behavior is that the certificate hasn’t been explicitly given access to the tenant. When adding a new certificate, you need to include it in tenanted deployments, and select which individual tenants the certificate can be associated with. The screenshot below shows this configuration.
Is that the missing piece in your scenario? If you’re still hitting this issue after confirming that, can you let me know which Octopus version you’re currently running?
I hope this helps, and I look forward to hearing back!
Then when trying to deploy the project to the associated tenant in this case Tank7-Octo-Dev, it is trying to reference certificate RD-JTIBBETTS2 even though it is not associated with tenant Tank7-Octo-Dev.
Thanks for following up and clarifying that additional information on your setup. I’ve been able to reproduce this behavior, though only when my tenant is assigned to both machines (that both of the values for this certificate variable are scoped to). In this case, it’s the intended behavior as targeting this tenant deploys to both machines, meaning both certificate variables are valid, but only one certificate is scoped to the target tenant. Is that the same cause of this issue in your case as well?
Thanks for keeping in touch and confirming that about your setup. That being the case, I’m honestly stumped at this point as your configuration seems perfect and works as we both expect in my local testing. Is it at all possible you could attempt an upgrade to a later LTS release to see if that alone fixes it? This may be an edge case to some bug that’s been fixed since 2019.6.8 (maybe this similar one around certificates and tenant variables).
I’ve upgraded to 2019.9.7 LTS and I see the same issue. To simplify matters I changed to using a project variable instead of Library variable sets and I still see the issue. Scoping certificate variables by deployment target only requires all tenants to be authorized to use all certificates.
Seeing something similar in v2019.10.0 with tenanted and untenanted deployments.
Project variable “Cert” uses certificate A, this is only available for untenanted deployments.
Tenant variable “Cert” from project template uses certificate B, this is only available to a tenant.
Deployment Variable Preview correctly displays variables for both tenanted and untenated scenarios.
Error when trying to deploy to tenant with message “Tenant is not authorized to use certificate ‘A’. It is referenced by variable ‘Cert’…”
Thanks for keeping in touch! I’ve attempted a couple extra times to reproduce this behavior from scratch with no luck whatsoever. Could you also send a screenshot showing the configuration of your Tank7-Octo-Dev-Tenant? I’d like to take a look to see if any certificates are defined in this tenant’s variables (or anything else I might be overlooking). It shouldn’t be possible for this tenant to have a certificate they’re not authorized to use, though perhaps something really unexpected happened.
This is probably a very obvious question but just to rule it out - is this a brand new release you’re attempting to deploy? This ensures any variable changes are applied.
In regards to the behavior you’re hitting @Pus, would you be willing to send through some additional information, like screenshots showing the configuration of these certificates and of the deployment page where you’re seeing this error message?
Thanks for following up with that. It doesn’t look like this tenant’s project variables should have any impact here. From here, would you be willing to supply us with an export of this entire project? You can use the Octopus.Migrator.exe command line to run a parial-export command targeting this project, as shown in the doc page below.
You can upload this to the support files section of your Octopus account as shown below.
After grabbing this export, are you able to temporarily work around this issue by removing the RD-JTIBBETTS2 certificate from this variable, and setting it up as a separate, uniquely named certificate variable?
I greatly appreciate your patience as I dig into this, and I look forward to hearing back.