Hi,
I’m trying to setup a listening linux tentacle (Ubuntu). I run a command to configure it with the server’s thumbprint. Server sees it as unavailable. In the service logs on the tentacle I can see: A client at [<my octopus server's ip>]:17817 connected, and attempted a message exchange, but did not present a client certificate
Octopus shows error:
Connection initialization failed while connecting to https://My tentacle>:10933/ Halibut.Transport.Protocol.ConnectionInitializationFailedException: Unable to receive the remote identity; the identity line was empty.
Not sure what to do here, any help is appreaciated.
We’ve seen this error previously when tentacles running on modern versions of their respective OS, such as Server 2019, are attempting to connect to an Octopus server that might still use a SHA1-encoded certificate (this was the default encryption used for certificates before Octopus version 3.14) - If you have had your Octopus server active since before then, this is likely the case, and the SHA1 negotiation is being blocked by newer versions of OpenSSL.
You can check what encryption your certificate uses by navigating to Configuration -> Thumbprint, and you should see a line that reads The server certificate uses the sha1RSA algorithm. or similar. If this is the case, this is what’s happening. We now use sha256RSA encryption.
Hi @paul.calvert thank you, indeed I checked and the server is using the SHA1.
Is there a way to generate an additional thumbprint for the same server? If I just re-generate it, all our 30+ tentacles will become useless and the deploys will be disrupted around the whole company. It would be great to have 2 thumbprints and a slow no-downtime upgrades. Is it possible at all?
Unfortunately not, it is just the one.
The process to update the trust on the tentacles is command line based so you will hopefully be able to script the update and push it to all targets at once using a remote Powershell session or similar.