Magically random certificates

im totally confused by the certificates on octopus…

  1. i load up octopus server…
  2. copy the cert from the tools menu
  3. install a tentacle on a different server
  4. paste in certificate into tentacle tools
  5. add server to octopus
  6. run health check = get security error
  7. check application error on tentacle server (Rejected communication because it was signed with the wrong certificate; the public key of the certificate was)

ok so when i open the tentacle tools menu, the certificate changes every time i open it… i’m completely baffled.

so from other topics i’ve read here, i delete the reg keys on both server and tentacle.
repeat above = same problem

any help would be great.



ok so i’ve no idea what the tools is doing… so i checked in certmgr.msc on both… i do not see any installed certificates.
so what i did was copy both key values from the reg keys and made my tentacle to share the same reg keys.
this worked… my tentacle appeared online… i managed to deploy a successful nuget package…
but i try again… security error again… tentacle is offline again.
i can’t get any consistency.

so it looks like manually ensuring the certs match is the way forward ignoring the tentacle/server tools. seems to be totally random what is displayed in those certificate menu items.
so my tentacle appears online, and goes offline from time to time but i managed to successfully deploy a web application and all is great.
i did try again… but my tentacle is down again… hit or miss… but i guess these are beta teething problems


First, thanks for getting in touch. It’s completely normal for the certificate to change every time - see this as to why: I know this appears confusing though so I’m looking for a better solution. Also as you discovered, Octopus certificates are not stored in the Windows certificate store (for reasons that would require a much longer blog post to explain :)) but in the registry.

It does worry me that you are getting this error intermittently though.

After setting the certificates, can you remote desktop onto the machine, and kill all running Tentacle.exe processes in Windows Task Manager? You’ll need to click “Show processes from other users”. It’s possible that the Tentacle service has loaded up with the wrong certificate.


thanks for the info.

after a deployment does the tentacle restart a service?
because the tentacle appeared up… i did a successful deployment…then the tentacle was down (i’m still able to access the service via the url).

The Tentacle doesn’t (or at least, shouldn’t!) get restarted after a deployment.

How predictable is it? Is it always Up, Down, Up, Down? Or Up, Down, Down, Down, Up, Down, Up, Up, Up, Down? And does anything appear in the event log on either machine?


killed the process - restarted the service.
the event log is just full of:
“Rejected communication because it was signed with the wrong certificate”

the reg keys are both matching… not sure where its holding this different cert key