This page cannot be displayed

(Dale Ritchie) #1

I’ve come across an issue when trying to log into our octopus deploy server after its first restart in a long time. When we are trying to log into the server we are receiving the below page from I.E.

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://octopus.*******.com.au again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

I’ve tried to use IIS Cryptop 3.0 and applied best practices to the server as an attempt to fix it.

Would you be able to point in a few different directions on what i should look at next?

(Lawrence Wilson) #3

Hi Dale,
Thanks for getting in touch! It’s interesting to know that this problem occurred after a restart of Octopus Server.

I know that the settings applied by IIS Crypto can only take effect after a server restart, have the cryptography settings been changed at any time before your most recent Octopus Server restart?

Can you navigate to the https://Octopus.***.com.au Portal UI locally from Octopus Server, while logged in directly?

Is your Octopus server accessible from the Internet? One option could be to put the Octopus Portal UI address in this public SSL checker: https://www.ssllabs.com/ssltest/

(just note that it seems to keep a public register of what domains it’s checked recently)

One other option could be to run through our troubleshooting on Schannel and TLS

I look forward to hearing from you!

Kind regards,
Lawrence.

(Dale Ritchie) #4

Hi Lawrence,

I believe the cryptography settings were changed about 6 months ago and the server has been restarted since.

I cannot log into directly on the server or from external clients. unfortunately it’s not publish externally either.

We do not have any of the listened windows KBs installed. I will keep investigating.

(davidkeaveny) #5

Hi Lawrence,

I’m one of Dale’s coworkers; a couple of extra nuggets are that I can connect from my desktop using Chrome but not Firefox or Edge. The desktop is a brand new build of Windows 10, and I have run the IISCrypto tool to ensure SSL is turned off and TLS is turned on.

If I use the Octopus plugin for TeamCity to publish a deployment package to Octopus, then it too experiences the same error, despite the two applications being installed on the same server. If I RDP into the server then I cannot connect to Octopus when using Internet Explorer.

We have upgraded Octopus to the latest version (we were running 2018.8.8 before), and are running on Windows Server 2016.

(davidkeaveny) #6

Also, the Octopus Server logs are full of the following error:

A client at [::ffff:192.168.5.10]:64230 connected, and attempted a message exchange, but it presented a client certificate with the thumbprint ‘C81A6805710470B0A2B3CC1A4DB09498ABDC7146’ which is not in the list of thumbprints that we trust

UPDATE: please ignore this, I’ve removed this Tentacle from our system.

(Lawrence Wilson) #7

Hi,
I’m sorry to hear this is still happening. It sound like this might be an issue secifically with the Schannel ciphers, could you please show me a screenshot of when you run IISCrypto on your Octopus Server?

If you make any changes with IIS Crypto you will also need to restart your Octopus Server for the change to take affect.

Kind regards,
Lawrence.

(davidkeaveny) #8

Schannel configuration:

Cipher configuration part 1:

Cipher configuration part 2:

We have always rebooted the server after applying IIS Crypto settings.

(davidkeaveny) #9

In the end, we moved Octopus to a new server built from scratch, and it now works correctly. BTW the migration process was ridiculously easy to complete, thanks for making it so straightforward!

Still not sure what the underlying issue is, perhaps a dodgy Windows update?