We have an older onprem installation of Octopus which happens to have a sha1RSA based server certificate. We are starting to see newer OS configurations require updated ciphers, which prevents us from adding tentacles to these newer machines. I know that the solution is to regenerate the server certificate, but I’m hoping you can help with a process to push that update to all the existing clients. It’s my understanding that Octopus does not have a way to push an updated certificate seamlessly and that as soon as we generate a new certificate, all clients will be unreachable over the tentacle. What is the recommended process? I have over 150 registered clients that will need to be updated.
Remove the old trusted certificate from the Tentacles.
Your Tentacles shouldn’t go offline because the processs configures a new certificate to trust before removing the previous one, however the process will be slightly different depending on Polling or Listening Tentacles, since Listening Tentacles can use the following command to add an additional certificate to trust:
While Polling tentacles using that command will overwrite the exisiting certificate and so they need to have their Tentacle.config files modified manually.
I created a script for another user over in this post for modifying the config file of Polling Tentacle’s however due to the number of Polling Tentacles being rotated, the Octopus Server struggled to handle the flood of connections.
Hope that helps but feel free to reach out with any questions at all, I’d be happy to clarify any part of the process further!
Thanks for the reply and the info. They are all listening tentacles. That’s really good to hear that we should be able to keep the tentacles from disconnecting. I really appreciate the help.