Could not find certificate under Cert:\LocalMachine with thumbprint

Octopus Server
1

Hi, Iam seeing issue where it is trying to get the Thumbprint variable instead of the value. How do I fix this. Thank you so much in advance for your help.

Finding SSL certificate with thumbprint #{SPS_SSL_Certification_Thumbprint}

February 8th 2023 10:37:08

Error

OperationStopped: Could not find certificate under Cert:\LocalMachine with thumbprint #{SPS_SSL_Certification_Thumbprint}. Make sure that the certificate is installed to the Local Machine context and that the private key is available.
My setting is below:

image
image1327×793 44.1 KB

3

Hi @tdnguyen3,

Thanks for reaching out and welcome to the Octopus forums!

The way you will want to reference the thumbprint of a Certificate is with: #{MyCertificate.Thumbprint}.

You can see this, with some examples, and all of the ways you can interact with a Certificate here: Certificate variables - Octopus Deploy

Please let me know if that helps or if you have any questions.

Best,
Jeremy

4

Thank you so much for a quick response. let me try

5

Hello Jeremy,
First of all, thanks again for your time, Iam a newbie to Octopus that’s why Iam struggling with these.
Question: Why “SSL Certificate got deleted”? where should I change not to have it delete.
After doing so, deployment process successfully deployed, but I am seeing weird logs :

image
image797×271 27.1 KB

Then failed to connect to the site
image
image1011×454 48.5 KB

6

Hi,

You’re very welcome!

I believe the bindings you have on the IIS server are clashing with the ones set in your IIS step in Octopus. Are you using the Replace existing bindings radial button in the Bindings section of your IIS step? If not, can you toggle that, create a new release, and try the deploy again and see if you get different results?

Looking forward to hearing back.

Best,
Jeremy

7

Yes, Iam using “Replace existing bindings”

8

Hi @tdnguyen3,

Thank you for the update! I’m stepping in on this one, as Jeremy has gone offline for the day, but I’m happy to help!

In reviewing things so far, it seems like you might have custom bindings set on your IIS instance, which are then being replaced by your configuration from Octopus Deploy, and this configuration may not be getting set right.

As a next step, I would recommend removing any manual bindings from your IIS instance and then let Octopus Deploy implement this configuration as the source of truth.

If things still aren’t looking quite right from there, I would log into the IIS instance and inspect the configuration that was pushed by Octopus in order to identify the issue with the binding that is being set, which should help narrow in on what needs to be corrected for this.

I hope this helps, but if you are still having trouble with this process feel free to upload a fresh, full raw task log from this deployment process for our review, and we should be able to dive into this a little deeper.

Here is a secure link for the task log (if needed), so you don’t have to post this to the public forum.

Regards,

Britton

9

Thanks Britton.
What did you meant by “let the Octopus Deploy implement this configuration as the source of truth.”? which part do I set that up.

Thanks.
~Thuyly

10

Hi @tdnguyen3,

You’re welcome!

What I meant by that statement is that I would just leave your IIS instance in a baseline state (so no manual bindings), set your binding configuration in Octopus Deploy via the Bindings section in the IIS step template, and then let Octopus Deploy manage this configuration. In this case, there would be nothing to “Replace” on the server from a bindings perspective, and Octopus Deploy would just set the proper configuration:

image
image913×421 20 KB

Octopus is already replacing this existing configuration in your current process (via the Replace existing bindings option), so this would just make your process more straightforward (as there wouldn’t be any confusion on custom bindings being set on IIS already).

In either case, it does look like Octopus is overriding the existing configuration on the IIS server, so it seems like something is not linking up quite right there. If you inspect the binding deployed by Octopus on your IIS server, this should shed some light on what has been misconfigured.

You should also be able to track the steps that Octopus is taking in IIS via the task log, and again, feel free to upload this for our review as well if you are still having trouble.

I hoped that help clarify my initial message, but let me know if I can be of any more help.

Best,

Britton

11

Here what I did:
Import the cert and using it. I point both envs dev and test to use this cert.
The dev deployment works fine which is getting the right certs #, but the test env kept trying to use the variable name :
Instead of “Finding SSL certificate with thumbprint #C6815D1661E01CDF02D06FD5ED9D5E29ED7E22B2”, What Iam seeing is “Finding SSL certificate with thumbprint #{SPS_SSL_Certification_Thumbprint}”

February 8th 2023 15:39:06

Info

Finding SSL certificate with thumbprint #{SPS_SSL_Certification_Thumbprint}

February 8th 2023 15:39:06

Error

OperationStopped: Could not find certificate under Cert:\LocalMachine with thumbprint #{SPS_SSL_Certification_Thumbprint}. Make sure that the certificate is installed to the Local Machine context and that the private key is available.

12

Hi @tdnguyen3,

Just stepping in for Britton while he’s offline, cheers for that info!

It sounds like there could be variable scoping preventing this variable from being used on that environment or target, could you please confirm the scopes that have been applied to this variable?

You could use the Variable Preview feature to confirm if this variable will be available for a deployment to the test environment, otherwise enable variable logging to see variables in the Raw Task Logs. Feel free to send them through to our secure upload portal if you’d like us to check over them!

Screenshot 2023-02-09 at 11.55.52

Feel free to reach out if you run into any issues or have any questions at all!

Best Regards,

13

From the preview on 2 enviroments: The setup are the same

image
image1549×730 61.7 KB

image
image1270×724 34.9 KB

14

Hi,

Would you please be able to send a screenshot of how you have the binding set up in your IIS step so I can take a look?

Best,
Jeremy

15

Thank you so much for your help…Please see below.

image
image876×616 40.6 KB

image
image552×880 47.7 KB

16

image
image1521×802 39.3 KB

17

Hi,

You’re very welcome! Thanks for all of the screenshots.

Can you please click into that binding you’ve got setup, and change it from Certificate Managed Externally to Certificate Managed By Octopus and then use the drop-down to select your cert, then save your process and create a new release and try deploying?

Looking forward to hearing how it goes!

Best,
Jeremy

18

Cant save it with the error “An SSL certificate variable must be provided for HTTPS bindings.”

image
image553×898 49 KB

19

Hi @tdnguyen3,

When you click “Select Certificate Variable” toward the bottom, does your certificate SPS_SSL_Certification_Thumbprint show up? If so please click that and see if that allows you to save without error.

Best,
Jeremy

20

it works … but still seeing the same issue "OperationStopped: Could not find certificate under Cert:\LocalMachine with thumbprint #{SPS_SSL_Certification_Thumbprint}. Make sure that the certificate is installed to the Local Machine context and that the private key is available. "

image
image540×894 49.2 KB

21

We’re making progress!

It’s strange that it’s not working at this point, since I can see the variable preview you showed above seems to be able to see the cert.

Would you be able to turn on variable logging and create a new release and then direct message me the task log?

This is how you do that: How to turn on variable logging and export the task log - Octopus Deploy

I don’t recommend leaving the setting on, because it can slow down deployments and cause bloated logs, but it should hopefully help us troubleshoot the issue.

Let me know if you have any questions.

Best,
Jeremy