Import-certificate throws "invalid network password" exception

When trying to use import-certificate from a Chef run, we’re receiving the following error message:

The specified network password is not correct.

System.Security.Cryptography.CryptographicException: The specified network password is not correct.

   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.LoadStoreFromFile(String fileName, String password, UInt32 dwFlags, Boolean persistKeyContainers)
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at Octopus.Shared.Security.Certificates.CertificateEncoder.FromPfxFile(String pfxFilePath, String password) in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Security\Certificates\CertificateEncoder.cs:line 25
   at Octopus.Tentacle.Commands.ImportCertificateCommand.Start() in Y:\work\refs\tags\3.2.15\source\Octopus.Tentacle\Commands\ImportCertificateCommand.cs:line 67
   at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Startup\AbstractCommand.cs:line 57
   at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Startup\ConsoleHost.cs:line 72
   at Octopus.Shared.Startup.OctopusProgram.Run() in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Startup\OctopusProgram.cs:line 87

http://stackoverflow.com/questions/8286110/asp-net-the-specified-network-password-is-not-correct leads me to believe that the certificate import is STILL trying to use the user’s local profile instead of using the machine key store or something that doesn’t require a user profile. We’re using the latest version of the Tentacle, 3.2.15. Are we missing something? Running the exact same command from Powershell in an RDP session succeeds, presumably because the user profile is loaded.

Hi Bojan,

Thanks for getting in touch! For remote installations of Tentacle we recommend that you have an existing certificate to import.
http://docs.octopusdeploy.com/display/OD/Export+and+import+Tentacle+certificates+without+a+profile

Hope that helps!
Vanessa

Hi Vanessa,

We do have an existing certificate. The certificate is on disk and we are running “Tentacle.exe import-certificate --instance webserver-1 --from-file generated_cert.pfx”. The .pfx file has no password attached to it, so the error is not coming from there.

Best,
Bojan

Hi Bojan,

Could you supply the entire script output + error message so I have some context.

Vanessa

I don’t have the entire script output anymore, but the relevant portion is above:

The specified network password is not correct.

System.Security.Cryptography.CryptographicException: The specified network password is not correct.

   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.LoadStoreFromFile(String fileName, String password, UInt32 dwFlags, Boolean persistKeyContainers)
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at Octopus.Shared.Security.Certificates.CertificateEncoder.FromPfxFile(String pfxFilePath, String password) in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Security\Certificates\CertificateEncoder.cs:line 25
   at Octopus.Tentacle.Commands.ImportCertificateCommand.Start() in Y:\work\refs\tags\3.2.15\source\Octopus.Tentacle\Commands\ImportCertificateCommand.cs:line 67
   at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Startup\AbstractCommand.cs:line 57
   at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in Y:\work\refs\tags\3.2.15\source\Octopus.Shared\Startup\ConsoleHost.cs:line 72

The command line we’re running is tentacle.exe import-certificate --instance our-instance-1 --from-file generated-certificate.pfx. There’s no password on the .pfx file, so that parameter is omitted.

Hi Bojan,

We think this is due to how you created the cert you are trying to import. It looks like when trying to import a pfx file it uses a different code base. Are you able to create the certificate exactly like our example gives and try again?

Vanessa

I am getting the same error as Bojan. I am trying to import a cert that I had previously exported from a Microsoft 2012R2 server using the certificates plugin in MMC.
Has there been any movement on this since January?

So my question is can we use externally generated certs?

What I ended up doing was importing the certificate on a regular machine then exporting it via the agent installed there. It looks like a regular PEM-encoded certificate, just without the begin/end blocks to me.