Due to corporate security policy, TLS 1.0 / 1.1 are frowned upon so we are running IISCrypto tool on octopus server and all tentacle boxes to exclusively enable TLS 1.2 (no TLS 1.0 / TLS 1.1). Most tentacle boxes seem to work OK with exclusive TLS 1.2. However, we have one Win2008R2 box where the tentacle fails over TLS 1.2 but works fine with TLS 1.1/1.0 enabled. Here is the tentacle health check failure:
An error occurred when sending a request to ‘https://dntest2.foo.com:10933/’, after the request began: A call to SSPI failed, see inner exception.
A call to SSPI failed, see inner exception.
One or more of the parameters passed to the function was invalid
TLS 1.2 is exclusively enabled on both Octopus server and tentacle using IISCrypto. .NET 4.7.2 is installed on Octopus server and tentacle box. Latest windows update have been applied to both server and tentacle. I have a message analyzer trace of the failed health check but don’t really know how to interpret it. How do you best troubleshoot this issue?
Octopus Server
Windows Server 2012 R2
Octopus V2018.6.14
Octopus Tentacle B
Windows 2008R2 SP1
Tentacle 3.22.0.0
Hi Scott,
Thanks for getting in touch! I’m sorry to hear you are seeing problems communicating with your Octopus Tentacles via TLS 1.2 when they are running on Windows Server 2008R2.
Your error message appears to be pointing to problems with SChannel on your Windows Server 2008R2 targets. I’m interested to know if you’ve seen our support page on Troubleshooting Schannel and TLS.
You appear to be satisfying every requirement outlined in the documentation that I linked you but I thought I should keep it here just in case.
One possible option to troubleshoot further could be to ensure that each of your servers have definitely been restarted for the SChannel/TLS changes to take affect.
I’m interested to know if this has helped please let me know if the restart doesn’t work for you though!
Kind regards,
Lawrence.
Lawrence, thanks for the update…
Yes, we have followed the steps on the Troubleshooting Schannel and TLS. We have also rebooted that server and same problem still exists. We also have this issue with another server as well.
Hi Scott,
Thanks for keeping in touch and I’m very sorry for the long delay in getting back to you on this one! Your reply got lost in my queue. I’m also sorry to hear you are still affected by this issue.
To troubleshoot further, could you please check if you login to your Octopus Server and navigate to your Tentacle’s endpoint on: https://dntest2.foo.com:10933/ with the Octopus Servers’ web browser?
An example of using a web browser to test connectivity issues can be seen in the documentation on troubleshooting tentacles
Thanks for sending through your screenshot of your iisCrypto output, they look correct as well. There could be a problem specific to Windows Server 2008R2 but since you have your updates installed this should be fine.
One other option we could explore is checking the registry keys have indeed been set by iisCrypto using the windows registry.
I look forward to hearing from you and I want to apologize for the long delay here.
Kind regards,
Lawrence.
Dear Lawrence,
Thank you for providing additional troubleshooting step. I worked with Scott and we were able to figure out how to fix the issue.
- We noticed that when using the browser on octopus server to browse to https://dntest2.foo.com:10933/, the page wouldn’t load. We used fiddler and noticed that dntest2 box uses an octopus cert with public key RSA of 512 bit, while other boxes used octopus cert with public key RSA of 2048 bit.
- We uninstalled and reinstalled the tentancle on the dntest2 box and the process installed a new octopus cert with RSA key of 2048 bit and octopus server now ables to communciate properly.
- I don’t know if the old cert (with RSA 512 bit) is being used any more, so I deleted the cert and keep the new one to avoid confusion.
I’m not entirely sure it’s something to do between public key of 512 vs 2048, perhaps it’s just some inconsistent cert algorithm installed on our troubled box and somehow reinstalling tentacle helps install the new cert properly.
Hi,
Thanks for keeping in touch and letting us know how you resolved this one! Your results are valuable and I’ve added them to our documentation on Troubleshooting SChannel and TLS.
I look forward to hearing from you if you have any questions.
Kind regards,
Lawrence.
