Hi Guys,
We’ve noticed that the certificate for the octopus server (eg the one used when the tentacle connects on port 10943) is not as secure as one would like (512bit) given modern computing power would allow an attacker to break the encryption with a sufficient degree of determination.
Do you have any plans or means for replacing it with a more secure secure?
Hi Andrew,
Based on the key size that you indicate you have found, I am guessing that you are using Octopus Deploy version 1.6.x? Is this correct? From 2.6.5 onwards this key size was increased to 2048 which should be a little more secure. I would highly recommend you upgrade to our latest 3.0.x builds as there are many other security upgrades we have done since then (along with many other exciting features).
You can even provide your own certificate to the tentacle to use!
Keep in mind that as you upgrade your Tentacles the accompanying certificates are left as-is without getting regenerated. This is obviously to ensure that they remain in contact with the server before and after the upgrade takes place.
When you have upgraded your Tentacles and are ready to upgrade your certificate to the newer settings you have two options (both described in our documentation).
You can generate your own or have the Tentacle regenerate one for itself.
To allow the Tentacle to regenerate, simply stop the Tentacle service and call
tentacle.exe new-certificate
which will return a message like
Octopus Deploy: Tentacle version 3.2.x
A new certificate has been generated and installed. Thumbprint:
DE010ABF6FF8ED1B7895A31F005B8D88A3329867
If you were to just go and try to run something like a script task now, the Octopus Server would complain saying the certificate thumbprint that was used doesn’t match the one expected. To allow the Server to now accept this new thumbprint, navigate to the Tentacle details screen and add the new tentacle thumbprint as returned from the command above.
And thats all there is to it!
Let me know if you have any further questions around the upgrade process or dealing with certificate regeneration. I think you will be a lot happier with our latest version as increased certificate keys are but one of many updates that make it more secure than ever.
Cheers
Robert
Thank you for your swift and detailed response.
Our Octopus installation is 3.2.23.
In this one case, we are using a polling tentacle to deploy to a remotely hosted machine where listening is not an option. We’ve been using Octopus for a while so I imagine our original version was 1.6.x and that would explain the smaller key size in the octopus “server” certificate. Is there any way of regenerating this (understanding of course the obvious inconvenience this would cause us as we would need to add the new thumbprint to all tentacles, of which we have a hundred or so).
Thanks,
-Andy
Hi Rob,
Thanks for you answer, can you also elaborate which certificate is actually used for encryption of polling tentacle connections?
Thanks,
AlexK
Alex,
For polling tentacles, a certificate on the Server is actually used for encryption, similar to how HTTPS works. The Tentacle uses the thumbprint you enter during its installation, to validate the certificate that the server presents. This can be regenerated on the server by stopping the service and running the
Octopus.Server.exe regenerate-certificate --octopus-tentacle
command, however keep in mind this will also require updating the thumbprint on the tentacle so that it knows to trust this new certificate.
Andrew,
Details about how to regenerate the Tentacle certificate for listening Tentacles can be found in my previous post or in the documentation link provided.
Let me know if there is any further confusion around this,
Cheers,
Rob