SSL certs - security scan warnings

Hi, we have Octopus v2022.3 with Listening Tentacles all at v6.2.50. We recently redeployed Octopus to a new server and it is running with an SSL certificate we created from our own CA.

Our security team have had scan reports from the target servers that these contain self-signed certificates with a Subject : CN=Octopus Tentacle

These don’t relate to the certificate on the Octopus server, and I can’t find them in the certificate store. How do I remove them and replace them with our own certificates?

The full messages from the scan are “The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : CN=Octopus Tentacle” and “The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown
certificate authority : |-Subject : CN=Octopus Tentacle |-Issuer : CN=Octopus Tentacle”

Hi @helenbull,

Thanks for getting in touch!

The communication between the tentacles and the octopus server is secured using a self-signed certificate. This is separate from the certificate used for the Octopus web portal.

We have further details on how this communication is secured and why we use self-signed certs that may be worth passing to your security team for review.

If desired you can import a certificate into each of the tentacles. After updating the certificate you would also need to update the thumbprint stored for each target within Infrastructure > Deployment Targets on the Octopus web portal.

e.g.

image1384×793 59.8 KB

If you do choose to import the certificate I would consider creating a test listening tentacle to perform this action on first and confirm everything is working as expected before making the change across all of your tentacles.

Regards,
Paul

Many thanks - I will share that with the security team and hopefully that will reassure them.