Deployment Target-scoped certificate variable set prevents deployment

usability
(Jdtibbetts) #1

Steps to reproduce:

  1. Create certificates for multiple deployment targets
  2. Create a variable set in Octopus with variable type certificate
  3. Add more than one certificate value
  4. Define the scope of each value to a different deployment target.
  5. Include variable set from 2 in a project
  6. Create a release and try and deploy to tenant that includes deployment target from 4.

The result :

Test is not authorized to use certificate ‘MyCert’. It is referenced by variable ‘FDQNCert’. Once you have corrected these problems you can try again. If the problem is related to a variable you will need to update the variables for this release or recreate the release for the changes to take effect. If the problem is related to the deployment process you will need to create a new release for the changes to take effect.

(Kenneth Bates) #3

Hi @jdtibbetts,

Thanks for getting in touch! Sorry to hear you’ve hit this confusion! I haven’t been able to reproduce this behavior however. I suspect what might be the cause of this unexpected behavior is that the certificate hasn’t been explicitly given access to the tenant. When adding a new certificate, you need to include it in tenanted deployments, and select which individual tenants the certificate can be associated with. The screenshot below shows this configuration.

Is that the missing piece in your scenario? If you’re still hitting this issue after confirming that, can you let me know which Octopus version you’re currently running?

I hope this helps, and I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #4

Thanks for replying so quickly Kenny. That was not the issue. The certificates are associated with the tenants. We are using Octopus version v2019.6.8

Here are the certs with their associated tenants.

Here is the variable set that uses those certs.

In the project we include the Library variable set.

Then when trying to deploy the project to the associated tenant in this case Tank7-Octo-Dev, it is trying to reference certificate RD-JTIBBETTS2 even though it is not associated with tenant Tank7-Octo-Dev.

It seems like the scoping of the certificates in the Library Set is not working as expected.

(Kenneth Bates) #5

Hi @jdtibbetts,

Thanks for following up and clarifying that additional information on your setup. I’ve been able to reproduce this behavior, though only when my tenant is assigned to both machines (that both of the values for this certificate variable are scoped to). In this case, it’s the intended behavior as targeting this tenant deploys to both machines, meaning both certificate variables are valid, but only one certificate is scoped to the target tenant. Is that the same cause of this issue in your case as well?

I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #6

Hi Kenny,

The tenant is not assigned to both machines. In fact, each tenant in this case is only assigned to 1 machine.

I appreciate your help. If there is any other information I can provide please let me know.

Thanks

(Kenneth Bates) #7

Hi @jdtibbetts,

Thanks for keeping in touch and confirming that about your setup. That being the case, I’m honestly stumped at this point as your configuration seems perfect and works as we both expect in my local testing. Is it at all possible you could attempt an upgrade to a later LTS release to see if that alone fixes it? This may be an edge case to some bug that’s been fixed since 2019.6.8 (maybe this similar one around certificates and tenant variables).

I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #8

Hi Kenny,

I’ve upgraded to 2019.9.7 LTS and I see the same issue. To simplify matters I changed to using a project variable instead of Library variable sets and I still see the issue. Scoping certificate variables by deployment target only requires all tenants to be authorized to use all certificates.

(Octopus) #9

Seeing something similar in v2019.10.0 with tenanted and untenanted deployments.

Project variable “Cert” uses certificate A, this is only available for untenanted deployments.
Tenant variable “Cert” from project template uses certificate B, this is only available to a tenant.

Deployment Variable Preview correctly displays variables for both tenanted and untenated scenarios.

Error when trying to deploy to tenant with message “Tenant is not authorized to use certificate ‘A’. It is referenced by variable ‘Cert’…”

(Jdtibbetts) #10

Hi Kenny,

Is there anything else I can do to help you in reproducing this issue?

Thanks

(Kenneth Bates) #11

Hi @jdtibbetts and @Pus,

Thanks for keeping in touch! I’ve attempted a couple extra times to reproduce this behavior from scratch with no luck whatsoever. Could you also send a screenshot showing the configuration of your Tank7-Octo-Dev-Tenant? I’d like to take a look to see if any certificates are defined in this tenant’s variables (or anything else I might be overlooking). It shouldn’t be possible for this tenant to have a certificate they’re not authorized to use, though perhaps something really unexpected happened.

This is probably a very obvious question but just to rule it out - is this a brand new release you’re attempting to deploy? This ensures any variable changes are applied.

In regards to the behavior you’re hitting @Pus, would you be willing to send through some additional information, like screenshots showing the configuration of these certificates and of the deployment page where you’re seeing this error message?

I look forward to hearing back!

Best regards,

Kenny

(Jdtibbetts) #12

Hi Kenny,

Yes this is a brand new release. Here is the screen shot you requested.

Again, I appreciate your help.

(Kenneth Bates) #13

Hi @jdtibbetts,

Thanks for following up with that. It doesn’t look like this tenant’s project variables should have any impact here. From here, would you be willing to supply us with an export of this entire project? You can use the Octopus.Migrator.exe command line to run a parial-export command targeting this project, as shown in the doc page below.

You can upload this to the support files section of your Octopus account as shown below.

After grabbing this export, are you able to temporarily work around this issue by removing the RD-JTIBBETTS2 certificate from this variable, and setting it up as a separate, uniquely named certificate variable?

I greatly appreciate your patience as I dig into this, and I look forward to hearing back. :slight_smile:

Best regards,

Kenny

(Jdtibbetts) #14

Hi Kenny,

My colleague TGillitzer will upload the exported project.  I tried your work around and get the same issue.  Screenshots below. 

(tgillitzer) #15

@Kenneth_Bates I have attached the exported project to my account per your screenshot below. My account is under tgillitzer@gmail.com.

Thanks for your assistance working through this.