Deploying a Certificate to Apache

I want to export octopus library certificates to a linux server running Apache web server, how can I “export” the raw PEM out of the certificate variable to a file on linux? There are community steps that will do it, but as Powershell, that doesn’t run through a linux tentacle. HELP.

Hi @karl.bailey

Thanks for your question and welcome to the community forum!

I export certificate variables to my Linux server running Ubuntu 20.04 for my NGINX config to work correctly (it’s responsible for load balancing my local Octopus instance. :smiley:)

In all the example code snippets below, I’m making use of the certificate variable expanded properties.

Let’s assume for the example that your certificate variable is called MyCertificateVariable.
In bash, you can run the following;

CERT=$(get_octopusvariable "MyCertificateVariable.CertificatePem")
echo "$CERT" > my_cert.crt

If your certificate includes a certificate chain, you’ll need to combine the chain with the main certificate. You can do this like so:

CERT=$(get_octopusvariable "MyCertificateVariable.CertificatePem")
CHAIN=$(get_octopusvariable "MyCertificateVariable.ChainPem")
COMBINED_CHAIN="$CERT\n$CHAIN"
echo -e "$COMBINED_CHAIN" > my_combined.crt

Lastly, if your certificate also has a private key that you need to export (as I do in the case of my NGINX config), you can use the PrivateKeyPem property when using a certificate variable:

KEY=$(get_octopusvariable "MyCertificateVariable.PrivateKeyPem")
echo "$KEY" > ssl.key

I hope that helps.

Best,

Hi @karl.bailey,

Just a quick note to mention I also added those examples from above to our docs:

Hopefully, that will help someone else out too :slight_smile:

Best,

Hi Mark
I’m having issues with the private key file I’m getting from the .PrivateKeyPem property
using:
openssl rsa -in “ssl.key” -check results in
:pem_lib.c:707:Expecting: ANY PRIVATE KEY

Apache service was also not happy with those files that were echoed out from Octopus using the tentacle
Opening the content of the ssl.key file it has

-----BEGIN RSA PRIVATE KEY-----

which I believe is PKCS#1 formatted
vs. the key file that works on the apache server starts with

-----BEGIN PRIVATE KEY-----

which I believe is PKCS#8 formatted

Could you assist me in getting the unencrypted PKCS#8 encoded data inside the key file from Octopus?

How are you outputting the ssl.key file? e.g. are you using Bash, or PowerShell or some other language?

Usually, that error can indicate there is a UTF8-BOM (byte order mark) instead of just UTF8 in the key file.

Best,

Hi Mark
Thanks for your reply it’s Bash, my colleague with more linux experience was able to assist, the problem was the key file output was one line so it had spaces in it.
The issue was resolved by changing
this:
echo $(get_octopusvariable “MyCert.PrivateKeyPem”) > “${keypath}”
to this:
echo “$(get_octopusvariable “MyCert.PrivateKeyPem”)” > “${keypath}”

I had previously in bash script defined the keypath like this
keyname=$(get_octopusvariable “NameofFile”)
path=“path to keyoutput”
keypath="${path}/${keyname}.key"

Hi @freyr.finnbogason

Ah yes, the case of no newlines. That’s also bitten me once or twice.

I’m glad you got it working. For the benefit of anyone else who reads this question, you can avoid Byte order mark issues with PowerShell with code like this:

$certificatePem = $OctopusParameters["MyCertificate.CertificatePem"]
$chainPem = $OctopusParameters["MyCertificate.ChainPem"]
$PrivateKeyPem = $OctopusParameters["MyCertificate.PrivateKeyPem"]
$combinedCertPem = $certificatePem + $chainPem

# Writing files with UTF-8 (no BOM)
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines("/tmp/cert.pem", $certificatePem, $Utf8NoBomEncoding)
[System.IO.File]::WriteAllLines("/tmp/cert_with_chain.pem", $combinedCertPem, $Utf8NoBomEncoding)
[System.IO.File]::WriteAllLines("/tmp/key.pem", $PrivateKeyPem, $Utf8NoBomEncoding)

Best,

1 Like