Certificate Variable Binding Time

Hi! We have a runbook with two steps. The first step renews a certificate via Let’s Encrypt and uploads into Octopus and the second step deploys that certificate into an Azure Web App. The second step is bound to a variable that references the certificate in Octopus that we wish to bind. However when we run the runbook the first step ran and renewed the certificate but the second step grabbed the old version of the certificate (the version of the certificate that existed at the start of the runbook launch) instead of the new version of the certificate. Is this expected? Is there some way around in?


Hi Jason,

Thanks for getting in touch!

I’ve created a basic runbook that uploads a cert and then prints out the cert thumbprint and I’m seeing the same behaviour that you’re describing.
If I re-run the runbook without the upload step though, the output does use the new thumbprint,
It seems that when the deployment starts, we’re capturing the current certificate details at the beginning of the process and any changes from that point on are ignored.

I can’t think of a way to achieve this without splitting the process into separate runbooks. I’m querying this internally to see if anyone else has come across a better option.


I’ve discussed this with our advisory team and they don’t have any better option than having one runbook perform the certificate renewal and then have the deployment using that certificate separate.

They have a document on how they handle this available here: Renew Let's Encrypt certificates - Octopus Deploy
And a sample runbook here: Octopus Deploy