Problems during deployment - SecurityNegotiationException - Could not establish trust

Hi Paul,

I have tried to deploy a release but it failed with:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘qat.mydomain.org’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

I have attached the entire log.

I have tried regenerating the cert from the octopus(WIN2k8) and installing on the tentacle(WIN2k3) but it did not help.

Hopefully I am not missing something.

Thanks

Dan

deploy.txt (6 KB)

Hi Dan,

It looks like you added “http://qat.mydomain.org” as your tentacle URL. Try making it:

http://qat.mydomain.org:10933/

I apologize, I know the UI for this isn’t intuitive at all - I hope to improve it this week.

Paul

Hi Paul,

I tried as you suggested and still no luck(new exception though).

Secure channel cannot be opened because security negotiation with the remote endpoint has failed

I tried several different variations on the DNS name/Machine name with/without dns suffix. Maybe the wcf base/endpoint address needs to be set on the tentacle?

Thanks!

Dan

deploy.txt (5 KB)

Hi Dan,

Here are some trouble shooting ideas:

  1. Does it work if you use the IP address of the server?
  2. Are there any proxy servers or load balancers between the servers?
  3. Could there be a firewall between them?
  4. Has Windows Firewall been disabled or an exception for port 10933 been created on the server?
  5. What happens if you hit http://yourserver:10933 in your web browser?
  6. Are any virus scanners/intrusion prevention systems running?
  7. Is anything in the event log on either machine?

Failing that, can you give me some more details about the physical topology of the network? For example, are both machines on the same LAN or in different data centres?

Thanks for your patience,

Paul

Hi Paul,

You have got to love WCF exceptions…

Step 7 saved me, the following error was in the event log:

2011-06-30 14:07:42,656 [5] ERROR Octopus [(null)] - Rejected communication because it was signed with the wrong certificate; the public key of the certificate was: 3048024100BD13DBEA052BA02ED641C5D8E9EDF571A0A04099970036D9C5993DBE08D8AC99F8FEE5785CD2E00FFD3C5A1C28B5304E401E88C0EC9CAB9A408541B38885D2010203010001

… Anyway, I could have swore I double checked that certificates matched earlier today but maybe I didn’t restart the services. Maybe you might want to add some certificate validation procedure when you paste the cert into the tentacle. Or a button to verify valid certificates.

I am one step further, now I have to fix up my nuget references!

-Dan

Great! Sing out if you have any other issues.