Octopus managed certificates and tenanted deployments now broken on new restrictions

tystol's Avatar


04 Feb, 2018 02:38 PM


I just upgraded to V2018.1.3 (all the way from 3.15) and can no longer deploy any of our tenanted projects. There is a new restriction on certificates that seems to force you to pick which tenants the certificate is allowed to be deployed to (which makes sense in some scenarios I guess), but there is no option to allow deployment to ALL tenants (eg. we have a single wildcard SSL certificate, and all of our tenants are based on subdomains, so the same single certificate should be authorised for all tenants).

Am I missing something?

  1. Support Staff 1 Posted by Eddy Ma on 05 Feb, 2018 06:40 AM

    Eddy Ma's Avatar

    Hi Tystol,

    Thanks for keeping in touch! I have tried to reproduce this in both V3 and V4 and they behave the same way, which is no deployments if no tenants or tags are selected.
    Would you mind trying a few things and send us more information to help us to identify the issue?

    • Try it from the old portal and see what happens. You can do this by going to the URL [youroctopusurl]/oldportal, you will need to log on from the new one first.

    • Check the settings from both the old and new portal and send us the screenshots

    • Check if there is any modification to the certificate. You can do this by going to the Audit page in Configuration, set the filters to be By event categories = Document modified, By document types = Certificate.

    I am looking forward to hear back from you soon.


  2. 2 Posted by tystol on 02 Mar, 2018 11:45 PM

    tystol's Avatar

    Hi Eddy,

    Apologies for the late reply - I found a workaround (select all deployment targets to acheive the 'all tenant' filter) and so this wasn't a priority.
    Workaround still not ideal as we have to remember to come back in to certificate config when adding a new deploy target.

    In answer to your questions, please see attachments for details, but:

    - Same issue from the old portal
    - Same settings visible from the old and new (but this is the 'old' portal on the current version of the system. My presumption would be it would be diff back in v3.15, but I don't have time to downgrade just to test this out).
    - The only modifications to the certificate was made a month ago, when I was experimenting with getting this working. Interestingly though, based on that audit log, the initial state of my cert was in a TenantedDeploymentParticipation: Untenanted mode.

    My guess is now that while those settings may have existing back in 3.15, there was a missing validation check, and if a cert was setup as Untenanted, it was still able to be deployed via tenanted processes.Possibly? Again, I can't rollback to confirm this.

  3. Support Staff 3 Posted by Eddy Ma on 05 Mar, 2018 11:24 PM

    Eddy Ma's Avatar

    Hi Tystol

    Thanks for sending the information through. I installed 3.15.0 and 3.15.8 locally, both version behave the same way as it is now in the latest 4.x.

    I could not explain why it was working for you before. Do you know by any chance if the data was modified manually?

    The settings from your screenshots look good to me. Alternatively you can also tag all the tenants that use this certificate and then select the tag as the Associated Tenants in the certificate and deployment targets.

    By doing that, you don't have to come back to modify the certificate when a new target is added.

    I hope this help! Let me know what you think and how you go.


  4. Eddy Ma closed this discussion on 05 Mar, 2018 11:24 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac