Our Octopus servers use certificates for web and tentacle trust that are issued by a CA and have expiry dates that will require rotation (as opposed to self-signed 100 year certificates as suggested). It however isn’t feasible to manually update every tentacle for the new Octopus Server certificate when that time comes, so we have been attempting to automate this process.
We created a project to deploy to tentacles that will run the tentacle.exe with the command-line
‘configure --instance “Tentacle” --trust --console’
followed by a tentacle.exe call with command-line
‘server-comms --instance "Tentacle --thumbprint --style "TentacleActive --host --port --console’
Those 2 commands will create 2 new entries in the Tentacle.config file, one to get the thumbprint in as trusted (from configure --trust) and another with full thumbprint/address/communication style. The issue is that the server-comms command also creates a new subscriptionId that the Octopus Server does not recognize.
Although Octopus recommends using the 100 year self-signed certificates, I was hoping there would be a straight-forward way to add a new thumbprint to the tentacle trust for a server the tentacle is already connected to.