Hi,
I have the following setup:
DMZ: Production webserver, Database server
Domain: Buildserver, Test Web server, Test database server
On the buildserver, octopus version 1.1.3.1410 is installed.
On the Test webserver, Test database server, production webserver and production database server, octopus tentacle version 1.1.3.1410 is installed
All certificates are corectly imported on all the servers.
Between the DMZ and Domain, port 10933 is open and if I run the healt checker in the octopus dashboard, all servers are checked except the production webserver. The tentacle service won’t start because of the following error:
It is likely that certificate ‘CN=Octopus Tentacle’ may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. —> System.Security.Cryptography.CryptographicException: Keyset does not exist
I uninstalled the tentacle from the production webserver and installed it again under the local administrator account. The same error message occurs. Could someone help us with this problem please?
Kind regards,
Pascal van der Horst
Just solved the problem. The problem was that the user under which the service is running, had minimal rights on the folder: c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Just give the user modify rights to the folder and the problem was solved.
In addition to comment by Pascal above:
Apperently this was the problem and we had to assign modify rights to the ‘C:\ProgramData\Microsoft\Crypto\Keys’ folder for the user (.\administrator) running the Octopus Tentacle Administration Tool. Generating a new certificate (or Tentacle Thumbprint) doesn’t return any errors, but the service will fail to start. Maybe this is something the Octopus Tentacle Administration Tool can check for?
Pascal, Marco, thanks for the update - I’m glad you were able to sort this out. I’ll try to make the admin tools smarter about setting these permissions.
Paul
Hi.
I have the same problem with 1.6.1.1718 version. The Octopus Server and Tentacle Service installed successfully, but the Tentacle Service crashes after few seconds:
The description for Event ID 0 from source Octopus cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
2013-07-08 03:38:07,531 [6] ERROR Octopus [(null)] - System.ArgumentException: It is likely that certificate ‘CN=Octopus Tentacle’ may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. —> System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
— End of inner exception stack trace —
at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver)
at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.SessionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver)
at System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ReliableChannelListenerBase`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at Octopus.Tentacle.Services.ServiceHostStarter.LaunchServiceHost[TImpl,TContract](Uri address) in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Services\ServiceHostStarter.cs:line 72
at Octopus.Tentacle.Services.ServiceHostStarter.Start() in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Services\ServiceHostStarter.cs:line 41
at Octopus.Tentacle.Commands.RunAgentCommand.Start() in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Commands\RunAgentCommand.cs:line 48
at Octopus.Shared.Startup.WindowsServiceHost.RunService() in c:\w\e6923628be6eaf72\source\Octopus.Shared\Startup\WindowsServiceHost.cs:line 48
the message resource is present but the message is not found in the string/message table
Hi Roman,
Is the Tentacle service configured to run under the Local System account or a custom user? This looks to be a different issue.
Paul
I configured it to run under LocalSystem first time. Later I tried to run it under my system admin account, but with the same result.
Thanks Roman, we’ll try to get a fix out for this in the next couple of days.
Paul