User running Octopus Tentacle does not seem to have access to cert

johnkors · 16 September 2015 07:32

Octopus 3.0.21

I’m getting an error similar to the other issues re SSL-binded deployments and thumbprints. All of those seems to be resolved by removing whitespaces from the thumbprint, but that did not do the trick in my case.

Could not find certificate under Cert:\LocalMachine with thumbprint ?3D9EB434FDD7D047639234DBFFD13C90D43E6183. Make sure that the certificate is installed to 
the Local Machine context and that the private key is available.
At C:\Octopus\Applications\AT\MyApp\0.1.0.60\Octopus.Features.IISWebSite_BeforePostDeploy.ps1:125 char:9+       throw "Could not find certificate under Cert:\LocalMachine with thumb

Sidemark. Bug?: The error message I get back differs if I use a variable in the thumbprint field or put the thumbprint directly in the Deployment step view. Using a variable, the error message adds a preceding ? (question mark) before the thumbprint in the error message. This is not present when put the thumbprint directly into the field (not using a variable).

I’ve also verified it has a private key and found the thumbprint by running

Get-ChildItem Cert:\LocalMachine -Recurse | Where-Object { $_.HasPrivateKey -eq $true }

Results:

PS C:\Windows\system32> Get-ChildItem Cert:\LocalMachine -Recurse | Where-Object { $_.HasPrivateKey -eq $true }

This lists:

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Remote Desktop
Thumbprint                                Subject
----------                                -------
D8629716DE39BD0E0632BE66ADB30DDA87AD6FD2  CN=IT-T-WEB01.mynetwork.local
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint                                Subject
----------                                -------
713C500A9986005B1A009710AC85D3E80599D299  CN=WMSvc-IT-T-WEB01
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint                                Subject
----------                                -------
713C500A9986005B1A009710AC85D3E80599D299  CN=WMSvc-IT-T-WEB01
3D9EB434FDD7D047639234DBFFD13C90D43E6183  CN=IT-T-WEB01.mynetwork.local

So. Are there any other prerequisites for the user running the tentacle service to read the cert? Guessing the SYSTEM account running the tentacle service should have access to that cert as well? Other? Or should the service it run under the Network Service instead?

Damian_Maclennan · 16 September 2015 11:29

Hi John

Thanks for posting here.

I know you say you’ve read the other threads, but the symptom of showing the ? when you use a variable is very consistent with the whitespace bug I mentioned.

Unfortunately, it’s not a character you can see, the instructions here should fix it http://help.octopusdeploy.com/discussions/problems/16467-ssl-thumbprint (paste it into a text editor and delete the character before the first one you can see). It’s a bug when copying the thumbprint from the windows dialog.

Damian