After add a deployment target its keep show offline

Hi Support,
after i successfully install Octopus Tentacle 3.2.11, then i add the deployment target but its keep show offline with the screenshot as i attached.

Kindly assist.

Thanks

Clement

if i check health for the machine, its show this error.

Offline2.jpg

Hi,

Thanks for reaching out. Cold you send us the raw log of the health check task? http://docs.octopusdeploy.com/display/OD/Get+the+raw+output+from+a+task

Also, did you get any errors when installing the Tentacle? Please also send us the Tentacle logs. You can find these on C:\Octopus\logs on a default install on your Tentacle machine.

Thanks,
Dalmiro

Hi Dalmiro,
Attached with the raw log for check health and the tentacle server log.

Kindly assist.

Thanks

Regards
Clement

ServerTasks-395.log.txt (5 KB)

OctopusTentacle.txt (11 KB)

Any updates for this issue?

in fact i have try to uninstall the tentacle delete the deployment target and reinstall. but still the same issue. i am taking the latest tentacle and install. kindly follow up. thanks

Hi Clement,

I’ll be working with you on this issue from here. The error reported in the OctopusTentacle.txt file is the most interesting part: CryptographicException: Access is denied. after we call .NET’s SslStream.AuthenticateAsServer() method (view code). After looking through the code in the BCL, I can see that it is either:

  • Failing to load the Private Key of the SSL Server certificate (in this case the Tentacle Certificate)
  • Failing to create an X509Certificate2 instance from the Client Certificate in the incoming data stream (in this case the Octopus Server Certificate)

At the end of the day this comes down to some sort of environmental issue on the local server, perhaps something like:

  • the User Account the Tentacle process is running under doesn’t have sufficient privileges to read the Private Key of the Tentacle Certificate
  • the User Account the Tentacle process is running under doesn’t have sufficient privileges to create a temporary X509Certificate2 instance which requires write access to the system’s Temp Path (see Tip #5 here)
  • the full Certificate Chain is not able to be constructed from certificates available to the server (for example, using a Custom Certificate where there is a certification chain but one certificate in the chain is missing from the local server)

After all of that detail, here’s some recommendations you could follow to help diagnose this issue:

  1. Is this the only server where the problem occurs, and it is working in other servers?
  2. Did you use a custom certificate for either Octopus Server or Tentacle, or did you let Octopus generate self-signed certificates for you (the default behaviour)?
  3. Are you running Tentacle as LocalSystem or another account?
  4. Have you customized ACLs to the Temp Path on the system? Sometimes this can get corrupted and you need to re-grant ACLs.
  5. Have you tried completely removing Tentacle and re-installing? This requires uninstalling the MSI, and then deleting the Tentacle installation folder, especially including the Tentacle.config. Leaving these files means the same Tentacle certificate would get used after a reinstall.
  6. Take a look at these 8 tips for working with X509Certificates which goes into detail about permissions problems etc.

If you are able to get to the bottom of this issue it would be good if we can add some better error messaging that may help people diagnose these issues quicker.

Hope that helps!
Mike

Hi Mike,
Please refer below my reply

  1. Is this the only server where the problem occurs, and it is working in other servers?
    YES
  2. Did you use a custom certificate for either Octopus Server or Tentacle, or did you let Octopus generate self-signed certificates for you (the default behaviour)?
    No for custom cert, we install the default behaviour.
  3. Are you running Tentacle as LocalSystem or another account?
    LocalSystem
  4. Have you customized ACLs to the Temp Path on the system? Sometimes this can get corrupted and you need to re-grant ACLs.
    No customized.
  5. Have you tried completely removing Tentacle and re-installing? This requires uninstalling the MSI, and then deleting the Tentacle installation folder, especially including the Tentacle.config. Leaving these files means the same Tentacle certificate would get used after a reinstall.
    YES, i uninstall the tentacle remove the C drive octopus folder and certificate regenerated a new one, but still fail.

Clement

Hi Clement,

Thanks for getting back to me. At this point I think we will have to set up a support call to sort out this issue.

Please use calendly to select a time that suits: https://calendly.com/octopusdeploy/supportcall

Looking forward to sorting this out with you.
Mike

Hi Mike,
after some troubleshoot, i change the local system to a specific account for running the octopus server win services, its working fine now.

Could you explain more why local system fail to did that?

Clement

the account is just a normal user account

Hi Clement,

I’m glad that started working for you. I’m guessing, but if the root cause is access to the certificate store, there are some subtle and deeply integrated distinctions between the LocalSystem built-in account and a Local User Account - the main one of interest would be related to the User Profile, the default locations for certain system stores, and certain permissions.

Typically Tentacle needs full access to the server, so LocalSystem is a good default choice, and we haven’t had any other customers reporting problems with LocalSystem to my knowledge.

At the end of the day the Local User Account you’ve created will be able to do everything you require provided you grant any additional privileges to that user account as you discover them.

Once again, I’m glad you were able to resolve the problem!

Happy Deployments!
Mike

Hi Mike,
Thanks for your explanation.

Clement