Hi,
We’re using the new Octopus certificate functionality, but have encountered a problem when uploading some certificates both through the UI and a powershell script calling the .net object. The problem seems to be when the password for the pfx file contains certain special characters ( I’m not sure exactly which one, but ‘&’ seems to cause a problem).
We’re running Octopus 3.11.18
Thanks,
Chris
Hi Chris,
Thanks for getting in touch! I’ve been trying to reproduce the problem on Octopus 3.13.2 and can’t seem to get the same behaviour. The only way I can make it fail is by entering the wrong password.
Here are some example passwords I’ve tested:
P&ssword
"#["/%*&;^*`;=*\|*"|&$-<_?".</;.)?({&+,++--""%"'`%
#:?<=]/|'-"~%<}]
{>@.[!(\]_@}?.*/:*=.(!\;!(?~$[_[\?~?/:}*!%`,":**?\
I generated self-signed certificates using this PowerShell script leveraging this PowerShell script.
param (
[Parameter(Mandatory = $true)]
[string]$Path,
[Parameter(Mandatory = $true)]
[string]$Domain,
[Parameter(Mandatory = $true)]
[string]$Password
)
. .\New-SelfSignedCertificateEx.ps1
New-SelfsignedCertificateEx -Subject "CN=$Domain" -EKU "Server Authentication", "Client authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN $Domain -AllowSMIME -Path $Path -Password (ConvertTo-SecureString $Password -AsPlainText -Force) -Exportable
I don’t know of any changes in this area since Octopus 3.11.18 -> 3.13.2, but it may be worth upgrading anyhow - we’ve shipped a lot of good stuff in 3.12 and 3.13.
Otherwise I wonder if you could generate a non-sensitive certificate and reproduce the problem locally, then send that certificate and password to me so I can investigate further?
Perhaps it could be a text encoding problem, or perhaps there’s a non-printing character in the password?
Hope that helps!
Mike
Hi,
I’ve resolved this now, the problem was some of our certificates were exported from Windows Server 2003 and these are the ones causing an error on uploading to Octopus. I’ve reexported the certs from Windows Server 2012 and it all works now.
The error message from Octopus is confusing as it has nothing to do with an incorrect password.
Thanks,
Chris
Hi Chris,
Thanks for keeping in touch! Unfortunately we don’t get many details when it comes to decoding certificates and are often forced to make our best guess at the root cause of any problems.
I wonder if you would mind signing a certificate for a dummy subject, and exporting it from Windows Server 2003 then send it to us? It would be really nice if I could investigate this further and understand what is going wrong so we can improve our automated tests and error messages?
Hope that helps!
Mike
Response accidentally logged on a different ticket:
Hi,
I’ve resolved this now, the problem was some of our certificates were exported from Windows Server 2003 and these are the ones causing an error on uploading to Octopus. I’ve reexported the problem certs from Windows Server 2012 and it all works now.I was going to send you a dummy certificate from Windows Server 2003 so you could test and improve your error message, but unfortunately I don’t have access to the server involved.
Thanks,
Chris
Hi Chris,
Thanks for keeping in touch! Glad to hear it’s all resolved. If you happen to come across another example please don’t hesitate to get back in touch!
Happy Deployments!
Mike