Octopus 3.0.21
I’m getting an error similar to the other issues re SSL-binded deployments and thumbprints. All of those seems to be resolved by removing whitespaces from the thumbprint, but that did not do the trick in my case.
Could not find certificate under Cert:\LocalMachine with thumbprint ?3D9EB434FDD7D047639234DBFFD13C90D43E6183. Make sure that the certificate is installed to
the Local Machine context and that the private key is available.
At C:\Octopus\Applications\AT\MyApp\0.1.0.60\Octopus.Features.IISWebSite_BeforePostDeploy.ps1:125 char:9+ throw "Could not find certificate under Cert:\LocalMachine with thumb
Sidemark. Bug?: The error message I get back differs if I use a variable in the thumbprint field or put the thumbprint directly in the Deployment step view. Using a variable, the error message adds a preceding ? (question mark) before the thumbprint in the error message. This is not present when put the thumbprint directly into the field (not using a variable).
I’ve also verified it has a private key and found the thumbprint by running
Get-ChildItem Cert:\LocalMachine -Recurse | Where-Object { $_.HasPrivateKey -eq $true }
Results:
PS C:\Windows\system32> Get-ChildItem Cert:\LocalMachine -Recurse | Where-Object { $_.HasPrivateKey -eq $true }
This lists:
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Remote Desktop
Thumbprint Subject
---------- -------
D8629716DE39BD0E0632BE66ADB30DDA87AD6FD2 CN=IT-T-WEB01.mynetwork.local
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
713C500A9986005B1A009710AC85D3E80599D299 CN=WMSvc-IT-T-WEB01
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
713C500A9986005B1A009710AC85D3E80599D299 CN=WMSvc-IT-T-WEB01
3D9EB434FDD7D047639234DBFFD13C90D43E6183 CN=IT-T-WEB01.mynetwork.local
So. Are there any other prerequisites for the user running the tentacle service to read the cert? Guessing the SYSTEM account running the tentacle service should have access to that cert as well? Other? Or should the service it run under the Network Service instead?