Powershell, Azure REST API and certifices


I’m trying to use the Azure REST API to Start/Stop a Azure Website from this script:

$State = "Running"
$SubscriptionId = "SOME SUBSCRIPTION ID"
$Webspace = "northeuropewebspace"
$Website = "MYWEBSITE"
$cert = get-item "Cert:\LocalMachine\root\DF6B774A310227E738C09DA4C98E89B87D754552"

$response = Invoke-RestMethod `
	"https://management.core.windows.net/$SubscriptionId/services/WebSpaces/$WebSpace/sites/$Website" `
    -Certificate $cert `
    -Headers @{"x-ms-version" = "2013-08-01"} `
    -ContentType "application/json; charset=utf-8" `
    -Method PUT `
    -Body @{ State = "$State"; } | ConvertTo-Json


But when I run it in Octopus (or the Task -> Script Console) I get this error:

Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel.
At C:\Users\octopustentacle\AppData\Local\Tentacle\Temp\ac94b278-f4c2-4dea-abcd-2821f0d2dc1f.ps1:14 char:13
	+ $response = Invoke-RestMethod `
+ ~~~~~~~~~~~~~~~~~~~
	+ CategoryInfo  : NotSpecified: (:) [Invoke-RestMethod], WebException
	+ FullyQualifiedErrorId : System.Net.WebException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
PowerShell exit code: 1
PowerShell script returned a non-zero exit code: 1

The same PowerShell can run on the Octopus server both elevated and non elevated.

Can anyone give me any pointers?


One cause of this might be that the certificate that the server uses may be trusted by your user, but not by the system - you can try some of the tips here:

Alternatively, it might be that while your account can access the private key for the certificate, the account that Tentacle runs as (Local System by default) can’t. You can read more in tip #3 here:

Perhaps a good test would be to modify your Tentacle service to run as your local administrator account rather than the Local System account, and to see if it works like that?


Thank you, you got me in the right direction!

The solution is to grant the tentacle account access to the certificate private key. Did in in the certificate snap-in -> on the certificate -> all tasks -> manage private keys.