I have Octopus server in version 2019.6.4. I approached a problem with Import Certificate step for custom user. I had process as follow:
- Create user in AD
- Import Certificate to this user’s tentacle
- Deploy windows service
Where windows service on start loads certificate, and fails if not succeeds.
Import certificate to user’s store goes green and windows service fails to start after deploy because of missing certificate.
Investigation shown that user’s certificate store in register are present only in that user is active (so only, when windows service is running).
Our temporary fix was to deploy service in version that don’t use certificate and then redeploy version that uses certificate.
False positive certificate import led to hours of investigation to find an issue with deploy. Step should fail and notify about the problem, if custom user certificate store registry keys are not present in register.
Thank you for reaching out using the Import Certificate step. Sorry to hear that you’ve run into an issue here.
I’ll look further into this for you but to help with my investigation; I need to ask a couple more questions to get a better understanding of what is going on here.
Could you please get a copy of the full deployment log and add it as an attachment here? Please be aware of any sensitive information that may be on there and edit accordingly, or if you’d prefer I can mark this conversation private so that only we can see it.
The step to import the certificate should have no awareness of any windows service. What may be happening here is that as the service is already running, the new certificate wasn’t able to overwrite the current one.
When you checked the user’s certification store, can you tell me if the certificate was there at all or was it only the old one?
ServerTasks-324988.log.txt (3.1 KB)
Thanks for the reply. I had to heavily cut out log, as my company policy requires that. But detailed log is not necessary to grasp the issue. We could have little missunderstanding on the matter there because it’s not about overwriting certificate, but importing it on the first place.
For the log - it’s step execution from single run - step 5 with import certificate executes successsfully. If I run it again - it won’t show that the certificate already exists as it should (if it really would export it) but will give again message “Importing certificate…” - so it runs as false positive (succeeds without really importing the certificate).
The problem is not windows service, but inactive user on server. If user don’t have active session on server it won’t have user certificate store registry entries in the system. Therefore in my case, fresh deploy on new server won’t import certificate for newly created user because windows service is not present (and running) there yet. Unless there is already running windows service for that user on server it wont import certificate. It will also work, if I login on that user from console - it has open user session and step will import certificate properly.
If there is service running on that user in time of deployment, everything works as intended - step will import certificate, and then in next run show that it is already imported.
Step as it seems to me, is not checking, if there is access to user’s certificate store, and only executes the importing part without confirming, if it really works.
I don’t think there is a technical solution to import certificate to inactive user’s personal store (only way apparent to me is to log in as that user first, so it would require passing credentials for that user). But the most problematic part with diagnosing that behaviour was step stating that certificate imported successfully when it really hasn’t.
Thank you for getting back to me with the extra information. That helped clear things up and gave me a better understanding of the issue.
I’m going to attempt to reproduce this on my own instance, and I’ll get back to you when I’ve made progress.
Thank you for your patience with me on this. I’ve managed to reproduce your issue, and it does appear that running the import certificate step before a user has logged in is incorrectly showing as successful.
I’ve created an issue on GitHub about this and will raise it with our engineers. You can follow the issue here https://github.com/OctopusDeploy/Issues/issues/6662
Thank you for finding and bringing this to our attention!
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.