Tentacle on SQL server in High availability group


We are using octopus deploy for our deployments and need a tentacle to run on all SQL Server replicas we have. We always want the SQL migration scripts to run on the primary replica and we do this by pointing octopus to a deployment target that is the DNS entry for the Availability Listener. If a failover happens and another SQL replica becomes the primary octopus will complain because the tentacle thumbprint on all SQL servers is different. Is it possible to have tentacles installed on 2 different machines with the same thumbprint to prevent this issue?


Thanks for getting in touch! You can. But you have to be really careful you will only ever have Octopus able to contact one at any time. If you are doing this through DNS entries then that should be the case. Are they polling or Listening?

You will have some things to think about:

  • The package cache will be different on both so you may have some issues with delta comparisons or multiple file uploads
  • Retention policies run using a Deployment Journal local to the machine and on deployment so changing back and forth means you might have really old packages, and deployment extractions on machines if they aren’t used again any time soon

You can use the Tentacle part of this documentation to import the same certificate on the secondary machines … you will have to export from the original machine http://docs.octopus.com/display/OD/How+to+use+custom+certificates+with+Octopus+Server+and+Tentacle

Please let me know if I can explain anything further or if I have made any wrong assumptions.

Please explain how to export the certificate from the original machine.

How do you export the certificate from the original machine?

Thanks Vanessa, This looks like the solution will be perfect for us. I will let you know if we run into any issues with this solution

Worked like a charm!

@lochness can you share how you exported the existing cert?


Sorry the word ‘export’ was a bit of a miscommunication on my part. You cannot export our certificates we do not support that feature.
You can generate a cert, or use your own and then use the import command to define it on both Tentacles.

Again I just want to be very very clear. You should never have two active Tentacles with the same thumbprint. The scenario where a Tentacle is defined by DNS and that is updated to point to another machine is safe as you cannot have DNS point to two locations so we gave advice to help for that specifically. You will run into troubles if you have two active machines with different addresses with the same thumbprint.