Linux tentacle can not generate a certificate when FIPS mode is enabled.

Team

[X] I've assigned a team label to this issue

Severity

Blocking some customers, workaround available.

Version

2019.10 -> Latest

Latest Version

I could reproduce the problem in the latest build

What happened?

When attempting to run the configure-tentacle.sh script on a machine that has FIPS mode enabled, it will fail due to not being able to load compatible ciphers to generate the certificate in the format we expect.

Reproduction

Create a linux VM (RHEL 8 is generally easiest for reproduction)
Install Tentacle
Run ./Tentacle --new-certificate
💥

Error and Stacktrace

===============================================================================
error:23076072:PKCS12 routines:PKCS12_parse:parse error
Interop+Crypto+OpenSslCryptographicException
   at Internal.Cryptography.Pal.OpenSslPkcs12Reader.Decrypt(SafePasswordHandle password)
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts)
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(Byte[] rawData, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException)
   at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(Byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at Octopus.Tentacle.Certificates.CertificateGenerator.Generate(String fullName, Boolean exportable) in CertificateGenerator.cs:line 100
   at Octopus.Tentacle.Certificates.CertificateGenerator.GenerateNew(String fullName) in CertificateGenerator.cs:line 41
   at Octopus.Tentacle.Configuration.WritableTentacleConfiguration.GenerateNewCertificate() in TentacleConfiguration.cs:line 273
   at Octopus.Tentacle.Commands.NewCertificateCommand.Start() in NewCertificateCommand.cs:line 78
   at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in AbstractCommand.cs:line 79
   at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime) in OctopusProgram.cs:line 544
   at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in ConsoleHost.cs:line 33
   at Octopus.Shared.Startup.OctopusProgram.RunHost(ICommandHost host) in OctopusProgram.cs:line 218
   at Octopus.Shared.Startup.OctopusProgram.Run() in OctopusProgram.cs:line 153
-------------------------------------------------------------------------------

More Information

No response

Workaround

You can work around this issue by using the "Custom certificate" feature of Tentacle to import a complaint cert, generated in FIPS mode. Basic command stack for a listening tentacle is as follows:


# -- Generate a 100 year certificate with a compliant crypto scheme
openssl req -newkey rsa:4096  -x509  -sha512  -days 36500 -nodes -out certificate.pem -keyout privatekey.pem -subj "/CN=Tentacle"

# -- Convert pem to pfx
openssl pkcs12 -export -out generated.pfx -inkey privatekey.pem -in certificate.pem 

# -- Configure tentacle (replicating what the configure-tentacle script does - default settings used).
/opt/octopus/tentacle/Tentacle create-instance --instance "Tentacle" --config "/etc/octopus/Tentacle/tentacle-Tentacle.config"
/opt/octopus/tentacle/Tentacle import-certificate --instance "Tentacle" --from-file=generated.pfx
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --app "/home/Octopus/Applications" --port 10933 --noListen False --reset-trust
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --trust SERVERCERTIFICATETHUMBPRINT
/opt/octopus/tentacle/Tentacle service --install --start --instance "Tentacle"

OctopusDeploy / Issues