generate cert fails the first time

[spuder]

I find that every time I try and use test kitchen to install a tentacle, I get this error

          * powershell_script[generate-tentacle-cert] action run

             ================================================================================
             Error executing action `run` on resource 'powershell_script[generate-tentacle-cert]'
             ================================================================================

             Mixlib::ShellOut::ShellCommandFailed
             ------------------------------------
             Expected process to exit with [0], but received '1'
             ---- Begin output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/ADMINI~1/AppData/Local/Temp/chef-script20160804-1440-10ljeji.ps1" ----
             STDOUT:
             STDERR: C:\Users\Administrator\AppData\Local\Temp\chef-script20160804-1440-10ljeji.ps1
             : ERROR: Command returned 100 Generating Cert for the machine
          + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
         tion
          + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
         n,chef-script20160804-1440-10ljeji.ps1
             ---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/ADMINI~1/AppData/Local/Temp/chef-script20160804-1440-10ljeji.ps1" ----
             Ran "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/ADMINI~1/AppData/Local/Temp/chef-script20160804-1440-10ljeji.ps1" returned 1

             Resource Declaration:
             ---------------------
             # In C:/Users/ADMINI~1/AppData/Local/Temp/kitchen/cache/cookbooks/octopus-deploy/providers/tentacle.rb

       83:   generate_cert = powershell_script 'generate-tentacle-cert' do
       84:     action :run
       85:     cwd tentacle_install_location
       86:     code <<-EOH
       87:       .\\Tentacle.exe new-certificate -e "#{cert_file}" --console
       88:       #{catch_powershell_error('Generating Cert for the machine')}
       89:     EOH
       90:     not_if { cert_file.nil? || ::File.exist?(cert_file) }
       91:   end
       92:

             Compiled Resource:
             ------------------
             # Declared in C:/Users/ADMINI~1/AppData/Local/Temp/kitchen/cache/cookbooks/octopus-deploy/providers/tentacle.rb:83:in `block in class_from_file'

             powershell_script("generate-tentacle-cert") do
        action [:run]
        retries 0
        retry_delay 2
        default_guard_interpreter :powershell_script
        command "generate-tentacle-cert"
        backup 5
        cwd "C:\\Program Files\\Octopus Deploy\\Tentacle"
        returns 0
        code "      .\\Tentacle.exe new-certificate -e \"c:\\Octopus\\tentacle_cert.txt\" --console\n      if ( ! $? ) { throw \"ERROR: Command returned $LastExitCode Generating Cert for the machine\" }\n"
        interpreter "powershell.exe"
        declared_type :powershell_script
        cookbook_name "nd-octopus"
        not_if { #code block }
             end

             Platform:
             ---------
             x64-mingw32

Questions:

• Why Does it generate the certificate before creating the tentacle? Most of the documentation I find shows the opposite order

Tentacle.exe create-instance --instance "Tentacle" --config "C:\Octopus\Tentacle.config" --console
Tentacle.exe new-certificate --instance "Tentacle" --if-blank --console

http://docs.octopusdeploy.com/display/OD/Automating+Tentacle+installation

• Why does the new cert generation not use --if-blank

  Tentacle.exe new-certificate --if-blank --console

  generate_cert = powershell_script 'generate-tentacle-cert' do
    action :run
    cwd tentacle_install_location
    code <<-EOH
      .\\Tentacle.exe new-certificate -e "#{cert_file}" --console
      #{catch_powershell_error('Generating Cert for the machine')}
    EOH
    not_if { cert_file.nil? || ::File.exist?(cert_file) }
  end

[spuder]

The work around is to log into test kitchen and run

 Tentacle.exe new-certificate --if-blank --console

Once you run that, then next chef converge will work.

[brentm5]

@spuder this is because test kitchen is using winrm which does not have access to cert libraries so it can not generate a cert. We mock this out in the test cookbook by dropping a pre generated cert. We can actually also use the elevated mode built into test kitchen since https://github.com/chef/chef-dk/blob/master/CHANGELOG.md#v014-2016-05-17

[brentm5]

@spuder This is actually fixed with the test cookbook / the default way we handle setting up tentacles. By default we actually generate a cert before we configure the tentacle and save that cert in the octopus deploy directory code here. The reason we do this is for two reasons, its easier to test in test-kitchen because we can pre generate the certificate. The other big reason is that if you uninstall the tentacle instance on a host and re run chef you will get the same certificate and the host can connect to the same instance. If you didn't do it this way you would get a new certificate each time and have to reconnect the host as well.

In our infrastructure we have a wrapper cookbook for installing tentacles and in there we include a private test cookbook for mocking the tentacle install. (Its similar to the following below)

https://github.com/cvent/octopus-deploy-cookbook/blob/master/test/cookbooks/octopus-deploy-test/recipes/tentacle.rb#L28-L31

[Fodoj]

So what is the approach to take? To use dummy certificatre for test kitchen and generate new one for real use? How okay is to use single pre-generated cert for all tentacles?