Polling tentacle connection to Kubernetes instance | unexpected security certificate


I’m struggling with making my polling tentacle work.
I have Octopus server installation on k8s cluster and two ingresses configured.

  1. For UI/API (SSL offloading performed)
  2. For polling tentacle (HTTPS pass)

I’m connecting my tentacle using this guide: Polling Tentacles over Standard HTTPS Port | Documentation and Support

The tentacle is being registered successfully, but I am unable to perform a health check. The tentacle is complaining about a different certificate thumbprint.

Halibut.HalibutClientException: An error occurred when sending a request to ‘https://octopus-polling.test.test/’, after the request began: The server at https://octopus-polling.test.test/ presented an unexpected security certificate. We expected the server to present a certificate with the thumbprint ‘B1A30327033086C32BEF61F26DCF04B3E147CA94’. Instead, it presented a certificate with a thumbprint of ‘7C032AC8F83879CF3CCD457B3F749E6162E9BDC8’ and subject ‘CN=*.test.test’. This usually happens when the client has been configured to expect the server to have the wrong certificate, or when the certificate on the server has been regenerated and the client has not been updated. It may also happen if someone is performing a man-in-the-middle attack on the remote machine, or if a proxy server is intercepting requests. Please check the certificate used on the server, and verify that the client has been configured correctly.

Could you please give me some hints, what can be done to fix that?

Good afternoon @xxazi,

Thank you for contacting Octopus Support and sorry you are having issues getting your polling tentacles to work over port 443.

You mentioned you are using an ingress, is that for the HTTP requests?

In the documentation it indicates that the connection needs to be a TCP reverse proxy, not a HTTP proxy. Since you are using our Octopus Server self hosted offering the documentation you need to follow is from the Self hosted part.

Do you have a proxy server in place at all to route the traffic, if so you need to create a stream for this to work, this is mentioned here in the documentation.

You also mentioned you are using SSL offloading which is not supported for communications from Tentacle to the Octopus Server.

So, for this to work you need two proxies, one to route the 443 traffic and one to route the polling tentacle port traffic.

Let me know if you have any other questions regarding this as the documentation was updated not so long ago to make it a bit more clear on how to achieve the connection over standard web ports. Since you have the tentacle registered already (which is when it uses the HTTP requests to connect initially to the Octopus Server), you can try setting up a TCP proxy or the NGINX stream mentioned in the documentation to forward the TCP Octopus Polling port (10943 as standard) and see if that works.

But you do need two proxies for this, one for the HTTP connection and one for the TCP connection.

I hope that helps,
Kind Regards,

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.