No peer certificate available - Polling tentacle

Octopus Cloud
, ,
1

When trying to add a new Deployment Targets as a polling tentacle. I am getting:

WARN  Checking that server communications are open failed with message The SSL connection could not be established, see inner exception. Unable to read data from the transport connection: Connection reset by peer.. Retrying (1/5) in 00:00:00.7500000.
System.Net.WebException: The SSL connection could not be established, see inner exception. Unable to read data from the transport connection: Connection reset by peer.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.IO.IOException: Unable to read data from the transport connection: Connection reset by peer.
 ---> System.Net.Sockets.SocketException (104): Connection reset by peer
   --- End of inner exception stack trace ---
   at System.Net.FixedSizeReader.ReadPacketAsync(Stream transport, AsyncProtocolRequest request)
   at System.Net.Security.SslStream.ThrowIfExceptional()
   at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at System.Net.HttpWebRequest.SendRequest()
   at System.Net.HttpWebRequest.GetResponse()
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at Octopus.Tentacle.Communications.OctopusServerChecker.<>c__DisplayClass2_0.<CheckServerCommunicationsIsOpen>b__1() in /opt/buildagent/work/639265b01610d682/source/Octopus.Tentacle/Communications/OctopusServerChecker.cs:line 49
   at Octopus.Tentacle.Communications.OctopusServerChecker.Retry(String actionDescription, Action action, Int32 retryCount, TimeSpan initialDelay, Double backOffFactor) in /opt/buildagent/work/639265b01610d682/source/Octopus.Tentacle/Communications/OctopusServerChecker.cs:line 88

I am able to telnet from the VM on port 10943 and 443
This is the output from: openssl s_client -host OCTOPUSHOSTNAME -port 10943

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 310 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

If I run: openssl s_client -host OCTOPUSHOSTNAME -port 443 I can see the SSL cert.

If I try the same on an existing Deployment Target I get the correct SSL certificate back and I am able to see it under the deployment targets.

The Thumbprint on the octopus cloud server: The server certificate uses the sha256RSA algorithm.

The Deployment Target I am trying to add is a Ubuntu 20.04 LTS VM.

3

Hi @matt.barber,

Thanks for posting your issue to the Octopus community! I’m sorry to hear registering a new polling tentacle is giving you trouble.

I’m not quite sure what is causing this, but I’ve tested using a new 20.04 LTS VM (on an AWS EC2 instance) and I’m able to register a polling tentacle out of the box, so we’ll have to figure out if there’s a configuration difference here or something that didn’t go well in the setup process.

First, if you haven’t seen it yet we have a great troubleshooting guide here that might be helpful: Troubleshooting Tentacles - Octopus Deploy

If you’ve gone through the troubleshooting already, then I have a few questions to hopefully help get to the bottom of this:

  • Is this a self-hosted version of Octopus, or are you using one of our hosted cloud instances? If you’re using self-hosted, can you let me know which version?
  • Do you use a version of OpenSSL different from the default 1.1.1, or a custom SSL cipher suite on the Tentacle side? It might be good to compare this between targets if you haven’t yet.
  • Is there a proxy or any other type of networking solution sitting between the Tentacle server and Octopus server that you’re aware of and could be causing this?
  • If you run Tentacle show-configuration --instance=<YOUR_TENTACLE> do the details look correct? For example, does the polling type, server address, thumprint for your Octopus server, and tentacle certificate (i.e. a thumbprint displayed) look correct? If it’s helpful here’s what mine looks like:

image

Let me know what you find and we can go from there.

Best,
Patrick

4

Hi Patrick,

Thanks for taking the time to look at this.

The tentacle is a fresh build (We add the VM to octopus via the init script)
We are using a hosted cloud instance of octopus.
The open ssl version is: OpenSSL 1.1.1f 31 Mar 2020
We don’t have a proxy between the Tentacle and the Octopus server.

Running: Tentacle show-configuration --instance=<YOUR_TENTACLE> Gives me:

Tentacle
Tentacle1038×912 165 KB

The CertificateThumbprint doesn’t match what we have in configuration/thumbprint on the octopus instance.

Thanks
Matt.

5

Hey Matt,

Thanks for getting back to me with those details.

It looks like there isn’t a thumbprint for your Octopus server in Tentacle > TrustedOctopusServers, so that’s likely what’s causing the issue you’re seeing.

If you open up /etc/octopus/default/Logs/OctopusTentacle.txt, that should tell you what didn’t get configured properly in the configuration process. For example, one way this might have happened is if your API key lacked permissions or was invalid. The log would show something like the following:

...
2022-11-03 16:08:17.1359   2299      1 FATAL  The API key you provided was not valid. Please double-check your API key and try again. For instructions on finding your API key, please visit: https://oc.to/ApiKey
Octopus.Client.Exceptions.OctopusSecurityException
   at Octopus.Client.OctopusAsyncClient.DispatchRequest[TResponseResource](OctopusRequest request, Boolean readResponse)
...

If you were running the tentacle configuration from the bash script at /opt/octopus/tentacle/configure-tentacle.sh , then there’s a good chance the service didn’t get configured correctly. You can check this by running sudo systemctl status Tentacle.

To fix these you can either remove the tentacle and start over using the bash script (which might be easiest), or you can run the following commands with your values substituted in to fix the configuration. This is assuming the API key was the issue.

/opt/octopus/tentacle/Tentacle configure --trust "OCTOPUS_SERVER_THUMBPRINT"
/opt/octopus/tentacle/Tentacle register-with --server "OCTO_SERVER_URL" --apiKey "YOUR_API_KEY" --space "SPACE_NAME" --name "Tentacle" --env "OCTO_ENVIRONMENTS" --role "OCTO_ROLES" --publicHostName="IP_ADDRESS"
/opt/octopus/tentacle/Tentacle service --install --start

Let me know if that helps get your polling tentacle registered or if you have any further questions.

Best,
Patrick

6

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.