Linux Tentacle - Octopus server is not presenting client certificate

Hi,
I’m trying to setup a listening linux tentacle (Ubuntu). I run a command to configure it with the server’s thumbprint. Server sees it as unavailable. In the service logs on the tentacle I can see:
A client at [<my octopus server's ip>]:17817 connected, and attempted a message exchange, but did not present a client certificate

Octopus shows error:

Connection initialization failed while connecting to https://My tentacle>:10933/ Halibut.Transport.Protocol.ConnectionInitializationFailedException: Unable to receive the remote identity; the identity line was empty.

Not sure what to do here, any help is appreaciated.

Thanks

Hi @abuynyachenko,

Thanks for getting in touch!

We’ve seen this error previously when tentacles running on modern versions of their respective OS, such as Server 2019, are attempting to connect to an Octopus server that might still use a SHA1-encoded certificate (this was the default encryption used for certificates before Octopus version 3.14) - If you have had your Octopus server active since before then, this is likely the case, and the SHA1 negotiation is being blocked by newer versions of OpenSSL.

You can check what encryption your certificate uses by navigating to Configuration -> Thumbprint, and you should see a line that reads The server certificate uses the sha1RSA algorithm. or similar. If this is the case, this is what’s happening. We now use sha256RSA encryption.

There’s some minor manual work involved in getting this fixed up, basically generating a new server certificate and then updating the trust on your Tentacles to trust the new thumbprint.

I hope this helps.

Regards,
Paul

Hi @paul.calvert thank you, indeed I checked and the server is using the SHA1.
Is there a way to generate an additional thumbprint for the same server? If I just re-generate it, all our 30+ tentacles will become useless and the deploys will be disrupted around the whole company. It would be great to have 2 thumbprints and a slow no-downtime upgrades. Is it possible at all?

Thank you

Unfortunately not, it is just the one.
The process to update the trust on the tentacles is command line based so you will hopefully be able to script the update and push it to all targets at once using a remote Powershell session or similar.

Thanks Paul, I see.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.