Issues with installing tentacle (Window 2008 OS [32-bit]) - certificate generation

Issues with cert generation while installing Tentacle config. How do I get past this error?
Logs attached.

OperatingSystem: Microsoft Windows NT 6.0.6002 Service Pack 2
OsBitVersion: x86
Is64BitProcess: False
CurrentUser: XXXXXXX\aburkeadmin
MachineName: XXXXXXX
ProcessorCount: 4
CurrentDirectory: E:\Program Files\Octopus Deploy\Tentacle
TempDirectory: C:\Users\aburkeadmin\AppData\Local\Temp
HostProcessName: Tentacle
2017-07-11 14:08:58.8870 1 INFO ==== NewCertificateCommand ====
2017-07-11 14:09:09.8238 1 ERROR ===============================================================================
2017-07-11 14:09:09.9954 1 FATAL Exception from HRESULT: 0xC0000005
System.Runtime.InteropServices.COMException
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at Octopus.Shared.Internals.CertificateGeneration.Win32ErrorHelper.ThrowExceptionIfGetLastErrorIsNotZero()
at Octopus.Shared.Internals.CertificateGeneration.CryptContext.CreateSelfSignedCertificate(SelfSignedCertProperties properties)
at Octopus.Shared.Security.CertificateGenerator.Generate(String fullName, Boolean exportable)
at Octopus.Shared.Security.CertificateGenerator.GenerateNew(String fullName)
at Octopus.Tentacle.Configuration.TentacleConfiguration.GenerateNewCertificate()
at Octopus.Tentacle.Commands.NewCertificateCommand.Start()
at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions)
at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime)
at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown)
at Octopus.Shared.Startup.OctopusProgram.Run()
2017-07-11 14:09:10.1670 1 FATAL -------------------------------------------------------------------------------
Terminating process with exit code 100
Full error details are available in the log files at:
C:\Users\aburkeadmin\AppData\Local\Octopus\Logs
E:\Octopus\Logs

OctopusTentacle_log_appdata.txt (7 KB)

OctopusTentacle_log.txt (9 KB)

Hi Aaron,

Thanks for getting in touch. The only things I can find are this and this.

So try setting the “CNG Key Isolation” service to Enabled and toggling the FIPS options.

If that does not work, could you try installing an older version of the tentacle, say one from 3.4 to see if it is a problem we have recently introduced.

Also do you have any Windows 2008 machines where the tentacle installation works?

Robert W

Hi Robert,

I checked the CNG Isolation settings - they are turned on via GPO in our environment and FIPS compliance is disabled.

We have not tried the installation on any other Windows 2008 machine yet. There is one scheduled for next week and I will post back the results once we attempt the installation.

Another member of the team reverse engineered the code of the current tentacle, created the cert manually and installed the tentacle via the scripted system. this did seem to work. Not sure if he filed a bug or a pull request to have this update checked into the code base.

Thanks again for the help with this and recommendations.

Hi Aaron,

Thanks for the update. I neglected to point you to the documentation about using a custom certificate with Tentacle. You can generate your own certificates and use them, which may get your around this problem.

Robert W

Hi Aaron,

I have some new information. I suspect this issue was caused when we swapped to creating SHA256 (instead of SHA1) certificates. I have raised an issue for this.

Robert W

Hi Aaron,

Could you check whether that server has the following fix applied? https://support.microsoft.com/en-au/help/2763674/you-cannot-run-an-application-that-is-signed-with-a-sha-256-certificat

Robert W