Certificates in Octopus

Hi There,

We tried to replace an old certificate with a new one in Octopus and it did not work, it did not get the private key.“Has private key” flag was false. We then had to manually add a new certificate to resolve this issue.
We have not noticed this issue before , is this being reported by any team after latest deployment of Octopus server version2020.1.12?

Hi Pradipta,

Thanks for reaching out. I’m a little unclear about what the exact issue was and what you did to resolve it. To answer your question directly, no, we have not had reported issues from 2020.1.12 regarding SSL bindings.

Can you provide some more information on what steps you performed?
i.e. We tried to replace an old certificate with a new one in Octopus and it did not work
Did you try to replace the certificate with a self-signed certificate through the Octopus Server Manager or were you attempting to use your own SSL certificate.

Were you following this guide: https://octopus.com/docs/security/exposing-octopus/expose-the-octopus-web-portal-over-https
If you were, what step did it fail at?

We then had to manually add a new certificate to resolve this issue - what have you done differently compared to the first step?

If you could provide me with some steps in order to recreate the issue, I would be extremely appreciative.

Kind Regards,

Dane.

HI Dane,

Thanks for getting back to me.

Sorry if I was not clear but I was trying to add certificates to our projects on Octo and not Octo itself.

Steps :

We replaced an old certificate(it was expiring) by going to Library --> Certificates–> select certificate --> Replace(with a new one)
Our IIS projects tried to use that certificate for deployment and that failed complaining about missing private key. Also we noticed that the new replaced certificate had “Has Private Key” flag as No.

image.png

OperationStopped: Could not find certificate under Cert:\LocalMachine with thumbprint ***. Make sure that the certificate is installed to the Local Machine context and that the private key is available.

We had to manually add a certificate( Library --> Certificates–> Add a Certificate) in order to make it work in deployment, but also we had to delete the existing old certificate from the deployment server.

Please let me know if you need any further information.

Hi Pradipta,

I completely understand now. Just confirming that you are up and running now?

Was the manually added certificate the exact same certificate as the replacement certificate you used initially? What I need to work out is, was there a chance that the initially replaced certificate was exported without the Private key?

Also, did you create a new release before doing the deploy after replacing the certificate in the certificate store and updating any project variables? If you didn’t create a release, the current release would still be using the old certificate information and variable bindings.

I will attempt to reproduce what you are seeing within the latest version of Octopus however I want to make sure I am replicating it exactly as you had tried to implement it.

We have made a couple of changes in 2020.2.8 and 2020.3.1 which looks to address issues with IIS certificate deployment. For example this one: https://github.com/OctopusDeploy/Issues/issues/6376

Are you in a position to update your Octopus Deploy server to a more recent deployment and test again?

Thank you for the information.

Regards,

Dane.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.