Tentacle configuration command "Tentacle.exe new-certificate --instance "Tentacle" --if-blank --console" fails when executing via remote powershell

Hi,

We are trying to deploy and configure Octopus tentacle version 3.2.6 via powershell remote.

The msi install works fine
Subsequently this command works fine:
“D:\NTApps\Octopus Deploy\Tentacle\Tentacle.exe” create-instance --instance “Tentacle” --config “D:\Octopus\Tentacle.config” --console

The next command fails as shown below:
“D:\NTApps\Octopus Deploy\Tentacle\Tentacle.exe” new-certificate --instance “Tentacle” --if-blank --console
Octopus Deploy: Tentacle version 3.2.6 (3.2.6+Branch.master.Sha.61f0c2f50db3f40f7bd0a9032ad73491f81fda14)

Error: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. (Exception from HRESULT: 0x80090345)

Full error details are available in the log files.
At: C:\Users\ziaassrvacc\AppData\Local\Octopus\Logs

The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. (Exception from HRESULT: 0x80090345)
System.Runtime.InteropServices.COMException (0x80090345): The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. (Exception from HRESULT: 0x80090345)
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at Octopus.Shared.Security.CertificateGenerator.Generate(String fullName, Boolean exportable) in Y:\work\refs\tags\3.2.6\source\Octopus.Shared\Security\CertificateGenerator.cs:line 27
at Octopus.Shared.Configuration.TentacleConfiguration.GenerateNewCertificate() in Y:\work\refs\tags\3.2.6\source\Octopus.Shared\Configuration\TentacleConfiguration.cs:line 188
at Octopus.Tentacle.Commands.NewCertificateCommand.Start() in Y:\work\refs\tags\3.2.6\source\Octopus.Tentacle\Commands\NewCertificateCommand.cs:line 59
at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in Y:\work\refs\tags\3.2.6\source\Octopus.Shared\Startup\AbstractCommand.cs:line 57
at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in Y:\work\refs\tags\3.2.6\source\Octopus.Shared\Startup\ConsoleHost.cs:line 72
at Octopus.Shared.Startup.OctopusProgram.Run() in Y:\work\refs\tags\3.2.6\source\Octopus.Shared\Startup\OctopusProgram.cs:line 87

The same sequence of commands works fine when run interactively in a non-elevated cmd prompt on the same Tentacle client machine

Is this a bug, or known issue, and if so is there a workaround?

Many thanks
Justin

Hi Justin,

Thanks for getting in touch! If you are automating your Tentacle installation you need to import certificates you cannot create one without a user profile.

Hope that helps!
Vanessa

Ok thanks Vanessa –
that works although it is a shame we need to use the workaround i.e. why can the tentacle.exe cert creation process not be modified so it can run without a user profile loaded? For those of us automating this process for DEVOPs it would be simpler not to have to generate the cert on another machine and then import ……

I have a question on the certificate import –

· Can we use a one-time generated certificate for all of the tentacle installs, or is it required to use a unique client cert/key for each tentacle?

o We are specifically concerned about any security implications if for example we have multiple tentacles sharing the same client cert, but which span multiple Octopus environments ….

Kind regards
Justin

Hi Justin,

The create certificate command requires a user profile as it uses Windows DPAPI.
You can use the same cert on multiple Tentacles without problem. The thumbprint is an identifier to the certificate on the machines to check for the connection, but it isn’t a unique identifier as registration also needs address and port.

I also linked you to the incorrect docs page http://docs.octopus.com/display/OD/Export+and+import+Tentacle+certificates+without+a+profile
I did think the page I directed you to included a link to the above, but it didn’t!

Vanessa

But if you will try to deregister tentacle via commandline like this:
Start-Process -FilePath “{{ octopusTentacleINSTALLLOCATION }}\Tentacle.exe” -ArgumentList “deregister-from --instance Tentacle --server {{ octopusURI }} --apiKey {{ octopusApikey }} --console” -NoNewWindow -Wait

You will receive following error:
Error: The Tentacle matches more than one machine on the server. To deregister all of these machines specify the --multiple flag.

I think it is because used certificate thumbprint for determine that exactly tentacle should be removed.

Hi,

Thanks for getting in touch. Tentacle.exe deregister-from will remove all Tentacles matching the Tentacle thumbprint which is not ideal when you are setting up Tentacles with the same thumbprint.

We do use the thumbprint to determine which Tentacle should be deleted because generally it is unique. We are putting the finishing touches on features that will cause your environment to automatically remove machines that you have terminated. It might be suitable to your situation and save you having to write custom PowerShell to do the cleanup.

You can find more information here: https://octofront.com/content/blog/clean-environments

Cheers,
Shane

Notice:

This issue has been closed due to inactivity. If you encounter the same or a similar issue and require help, please open a new discussion (if we asked for logs or extra details in this thread, consider including them in the new thread). If you are the creator of this thread and believe it should not be closed let us know via our support email.