Octopus stores the X.509 certificate that it uses to connect with Tentacles in the Octopus database. To make loading the certificate faster, it's also loaded into the Windows Certificate store.
The loading process looks like this:
- Does a certificate exist in the store with thumbprint XXXX? Yes: Load it No: Install it
The store is owned by whichever account runs as the Octopus server - this is usually the local system account.
To find certificates in the store, to diagnose problems loading these certificates, do this:
Put it somewhere any user can access it, like C:\TestCertificates.ps1
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Octopus", [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
$thumbprint = "FCDB71235479DD60D3E1296736292C5CB1871CA3"
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$certs = $store.Certificates
Write-Host "Running as: " $env:USERNAME
Write-Host "All certificates:"
$certs | ForEach-Object { $_ }
$cert = $store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByThumbprint, $thumbprint, $false)
Write-Host ""
Write-Host "Found certificate"
$cert
Change the value of $thumbprint
to the thumbprint you see on the Configuration > Certificates page in Octopus.
If your Octopus service normally runs as the System account (default), then you need to run this script as the system account.
To do this:
- Download PSTools from SysInternals/Microsoft: http://download.sysinternals.com/files/PSTools.zip
- Use PSExec to invoke PowerShell:
psexec.exe -i -s PowerShell.exe
- Test that the PowerShell sessions is the system account by running:
It should print something like "YOURMACHINENAME$".$env:USERNAME
- Run the script from this PowerShell session.
It should output the current username, a list of all the certificates it can find, and then it will try to find the certificate by the thumbprint you provided.. C:\TestCertificates.ps1
- Send us the output