Lets Encrypt auto renewal with polling tentacles on port 80


(jason) #1

We have the server bindings set to use HTTPS and polling tentacles on port 80 due to most of our clients firewalls being limited and unlikely to open ports for us. We just recently setup Let’s Encrypt on Octopus Deploy, which worked great, but now the certificate renewal is failing because it is looking for the /.well-known/acme-challenge over HTTP. Is there any way around this? We are running v2018.1.2.

(Lawrence Wilson) #3

Hi, Thanks for getting in touch! I’m sorry to hear you are seeing issues while configuring lets encrypt for an Octopus Server that is already communicating over ports 80 and 443.

There is currently a limitation in LetsEncrypt which is forces us to perform /.well-known validation over TCP Port 80 and there are no configuration changes you can make within Octopus that will provide a work-around here unfortunately. We are also unable to support the DNS-01 challenge type generically because it requires making changes to DNS records.

However, there might be a few potential options we can look into here.

One potential option could be to completely free up your TCP Port 80 on the Octopus server by using polling Tentacles over websockets

We’ve also introduced a new feature which is available in Octopus Server version 2018.4 that allows schedule recurring deployments. In this case, you could implement your own scripts that take over renewing your Octopus SSL Certificates and run that task on a set schedule.

I hope this has been helpful, I look forward to hearing from you if you have any further questions.

Kind regards,

(jason) #4

So, we implemented polling over websockets on all our tenants and everything was working well until LetsEncrypt renewed the certificate. Now, none of the polling tentacles can connect to the server because WSS uses the thumbprint of the certificate instead of the thumbprint of the server. This is very frustrating because we now have to go back and touch every single tenant and update the tentacle every time it renews. Is there no other way to handle this without so much manual intervention?

(Lawrence Wilson) #5

Hi Jason,
Thanks for keeping in touch! I’m sorry for the long delay in getting back to you on this one and I’m sorry to hear you have had this experience using Lets encrypt with a Polling Tentacle over web sockets.

Even though I believe you have spoken to us directly about this already I thought it might be best to briefly touch base with you here as well.

One potential work around as mentioned by the team who developed this feature could be to setup a new hostname/Public DNS entry pointing to your Octopus Server. Your Polling Tentacles would then be communicating directly to your new hostname/Public DNS entry and consequently be presented with a more permanent certificate. If you only have a single IP address on the Octopus Server, you would need to enable SNI.

To set it up you would be able to login to the Octopus Server and with the Octopus Server Manager, add a binding for the new domain with a more permanent certificate.

The best way to know that this is working would be to navigate to your new domain and you should be presented with the new certificate.

I just want to mention again that I’m very sorry for the delay in getting back to you here and I hope this has been helpful to you!

Kind regards,