Octopus not deploying the SSL Certificate (correctly?) during IIS Website deployment

Legacy Security
1

Hi,

I’ve got a self-signed SSL certificate that I want to use for testing while we’re waiting for our real certificates to be available. It got added into Octopus just fine, and it even detects when it expires and that its self-signed. I then configured the IIS Deploy step to add an HTTPS binding and to use an octopus managed certificate, which states it’ll deploy the certificate. I’ve created a variable and have it pointing to my only certificate “ScienceFair”

image
image.png555×814 42.7 KB

Here is the error I’m getting:

06:25:14   Info     |       Adding certificate 'CN=sciencefair.example.com' into Cert:\LocalMachine\My
06:25:14   Info     |       Certificate 'CN=sciencefair.example.com' already exists in store 'My'.
06:25:14   Verbose  |       Creating 'D:\OctopusTentacle\Development\Applications\SFTenant\Development\Mastiff\5.1.6967.42612_9\Octopus.Features.IISWebSite_BeforePostDeploy.ps1' from embedded resource
06:25:14   Verbose  |       Executing 'D:\OctopusTentacle\Development\Applications\SFTenant\Development\Mastiff\5.1.6967.42612_9\Octopus.Features.IISWebSite_BeforePostDeploy.ps1'
<snip>
06:25:17   Info     |       Making sure a Website "ScienceFair" is configured in IIS...
06:25:17   Info     |       Finding SSL certificate with thumbprint A9C66B8AC2F9D9F2AB6E4A11124292B86AFDE35E
06:25:17   Error    |       Could not find certificate under Cert:\LocalMachine with thumbprint
06:25:17   Error    |       A9C66B8AC2F9D9F2AB6E4A11124292B86AFDE35E. Make sure that the certificate is
06:25:17   Error    |       installed to the Local Machine context and that the private key is available.
06:25:17   Error    |       At D:\OctopusTentacle\Development\Applications\SFTenant\Development\Mastiff\5.1
06:25:17   Error    |       .6967.42612_9\Octopus.Features.IISWebSite_BeforePostDeploy.ps1:480 char:4
06:25:17   Error    |       +             throw "Could not find certificate under Cert:\LocalMachine with
06:25:17   Error    |       thumbprint $s ...
06:25:17   Error    |       +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I see that it automatically put the certificate in Cert:\LocalMachine\My but the code then goes to look for it in Cert:\LocalMachine\ and fails.

I’ve confirmed that the thumbprint it says it can’t find is the same thumbprint I see on the certificate installed on that server, as seen below.

image
image.png989×248 25.8 KB

I’ve upgraded to 2019.1.6 and just forced my tentacle to upgrade its version of Calimari.

Any help will be appreciated!

Thanks,

James

3

Hi James,
Thanks for getting in touch! I’m sorry to hear you are seeing issues using the HTTPS binding with a self-signed certificate.

One thing I noticed from your screenshot of Certificate Manager in Windows is showing that the certificate 'CN=sciencefair.example.com' doesn’t have a private key. I noticed this by seeing that the little Icon in the list hasn’t got the tiny key. You can confirm this by opening the certificate and looking for the text: “You have a private key that corresponds to this certificate”, please see below:

image
image.png458×561 12.9 KB

A private key is required when binding a certificate in this way. One option could be to ensure that the PFX used to import the certificate into Octopus contains a private key as well as the certificate.

I hope this has been helpful! please feel free to keep in touch if you have any questions about certificates with private keys, I’ll be able to assist further.

Kind regards,
Lawrence.

4

Hi Lawrence,

That was it!

I couldn’t find a way of creating this type of certificate using the openssl command line tool…every single example I found did not include the private key in the cert.

However, I was able to follow the steps on this MSDN blog post to generate one that worked with Octopus.

Thanks!

James

1 Like