Power shell errors (IISWebsite_BeforePostDeploy.ps1) after upgrading from 2.6 to 3.1.4


We’ve recently upgraded Octopus Deploy from v2.6 to 3.1.4 and are now getting a series of powershell error in the website creation steps - and example is below. The application appears to be working as expected. Has anyone seen this type of error before?

New-Object : Cannot find type [System.Security.Cryptography.AesCryptoServiceProvider]: make sure the assembly containing this type is loaded.
At C:\Octopus\Applications\Mambo QA\CCMS.Api\\Bootstrap.Octopus.Features.IISWebSite_BeforePostDeploy.ps1:69 char:24

  • $provider = new-Object <<<<  System.Security.Cryptography.AesCryptoServiceProvider
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand
      Property ‘Mode’ cannot be found on this object; make sure it exists and is settable.
      At C:\Octopus\Applications\Mambo QA\CCMS.Api\\Bootstrap.Octopus.Features.IISWebSite_BeforePostDeploy.ps1:70 char:12
  • $provider. <<<< Mode = [System.Security.Cryptography.CipherMode]::CBC
  • CategoryInfo : InvalidOperation: (Mode:String) [], RuntimeException
  • FullyQualifiedErrorId : PropertyNotFound
    Property ‘Padding’ cannot be found on this object; make sure it exists and is settable.
    At C:\Octopus\Applications\Mambo QA\CCMS.Api\\Bootstrap.Octopus.Features.IISWebSite_BeforePostDeploy.ps1:71 char:12
  • $provider. <<<< Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
  • CategoryInfo : InvalidOperation: (Padding:String) [], RuntimeException
  • FullyQualifiedErrorId : PropertyNotFound

Hi Greg,
This AesCryptoServiceProvider is now used in the deployment scripts to secure sensitive variables as they get passed along to the Tentacle. Do you have any sensitive variables in this deployment that might have triggered this decryption to take place since if so, it looks as though their values might not have come through correctly.
As for the cause of the error itself, it looks as though PowerShell is having troubles loading the required encryption provider. What version of .Net and PowerShell do you have installed on this machine?


There are sensitive variables in the project but none within the scope of the environment that is receiving the error - perhaps that is why there is no apparent issue with the deployed application.

Both the target server and Octopus Deploy servers are running .net 4.5.2 & powershell v2.


Hi Greg,
I have made a new build of Calamari with a change that I would like to test to see if it solves your problem.

Could you download the following new Calamari Builds


and place them into an empty directory.

Once done add the following setting
<set key="Octopus.Deployment.CustomBundledPackageDirectory">DOWNLOAD_PATH</set>
to your Octopus Deploy Server config file (typically found at C:\Octopus\OctopusServer\OctopusSever.config) with the path these files were downloaded to.

With this added please restart the service and try to perform a deployment again. Check the logs and confirm that it updated the tentacle with this new Calamari package. Hopefully this will push through the changes that are needed to ensure the scripts properly instantiate the crypto class needed for this task.

Once tested you can go back to using the default Calamari package by removing the above config element and restarting the server again.

Let me know the results of this test.

Hi Rob, Greg,

I was having similar issues - in fact I couldn’t deploy a site because it couldn’t set the password for the app pool. Your fix seemed to work on Win2012 but on Win2008 I had to install .NET 3.5.1 (I was only running .NET 4.5.1 previously.) This resolved the issue and everything seems happy again.

Hope this is useful and not just intrusive.



Hi Stuart,
Thanks for the update that this fix worked for you! Hopefully that means it solves a few other people’s problem too.

Robert - thanks for those packages, I’ll test it out tonight and let you know

Stuart - we are having this issue on a Win2012 but do have some Win2008 system in the mix that don’t have the same problem although this may be because we’ve got .net 3.5 installed there - but thanks for the tip

Robert - this fix has resolved the issue that the task now executes without the same errors getting generated. Should I leave these Calamari packages on the server to be pushed out to all tentacles or should revert back to the original and wait for the bug fix to be integrated into a standard release?


Hi Greg,
Great to hear this fix worked. You can leave this custom Calamari build on the server for now and when a new build goes out, you can remove the configuration and the new version will get pushed. Because the (eventual) new build will be versioned higher it should override this custom hotfix.
Thanks again for the confirmation.

Hi Greg,

We’ve shipped Octopus 3.1.6 with Calamari 3.1.1 including the fix for this issue. Unfortunately I broke the versioning for Calamari and the build Rob sent you was versioned 3.2.x accidentally. Once you’ve updated to Octopus 3.1.6 could you check the Calamari folder in your Octopus Server and make sure the temporary build of Calamari is deleted, otherwise it will be used in preference to the real Calamari build 3.1.1.

Apologies for the inconvenience.

I am out of the office with no access to e-mail returning on Monday 2nd November. If your enquiry is urgent please contact Paul Reed otherwise I will respond to your query upon my return.

Kindest Regards


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

Hi Greg,

Oh, I just realized you would have added the config Octopus.Deployment.CustomBundledPackageDirectory to your OctopusServer.config file. Just remove that line and everything will go back to normal.

Hope that helps!