Let's Encrypt integration requires access to Local Computer store

(Vern DeHaven) #1

In Octopus 3.15.1, I am attempting to configure a Let’s Encrypt certificate via Configuration | Certificates. When applying, I receive:

The account that Octopus is running under does not have permission to save certificates to the ‘LocalMachine\My’ certificate store. We received an error ‘Access is denied.’ while opening the certificate store. Unfortunately, we need permission to this store be able to handle the Let’s Encrypt certificate flow. Aborting.

This requires that the OctopusDeploy service be running as an administrator, something we have been able to avoid until now. Would it be possible to instead use the service account certificate store?

(Matt Richardson) #2

Hi Vern

Thanks for getting in touch!

Glad to hear you’ve had a go at the Let’s Encrypt integration, and sorry to hear that you’ve run into issues.

Unfortunately, due to the way Octopus uses HTTP.SYS to handle the SSL offloading, it means that the certificate has to be stored in the local machine context (see the microsoft docs for more detail).

We have considered allowing credentials to be specified to enable access to the cert store in this scenario, and to be used when the Octopus Server needs to be restarted, but unfortunately it didn’t make it in.

At this point, your best bet is to keep using your user account and use one of the command line / powershell Let’s Encrypt utilities to handle the certificate request and installation. I’d also recommend adding a feature request to our user voice board - we use these suggestions when prioritising.

Sorry I can’t give you a better answer than that right now.

Regards,
Matt

(Vern DeHaven) #3

Thank you for the clarification!

(system) closed #4