Octopus Server DSC https config need Certificate or Certificate Config property

The Octopus DSC resource is reporting error when configuring the web portal to use https. This is because a certificate is needed to use https as this link shows.

Hence, only http works for the DSC resource. When manually enabling the https, it show these commands in the script.
C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.exe" ssl-certificate --instance “OctopusServer” --ip-address “” --port “443” --thumbprint “xxxxxxxxxxxxxxxxxxxxxxxxxx” --certificate-store “My”
“C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.exe” configure --instance “OctopusServer” --webForceSSL “True”
“C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.exe” configure --instance “OctopusServer” --webListenPrefixes “http://localhost/,https://localhost/
“C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.exe” service --instance “OctopusServer” --stop --start

Looking at the command to generate the ssl-certificate whether self-signed, existing or imported, there seem to be no property in the Octopus Server DSC resource to handle that.

How can we enable https using the Octopus Server DSC resource without generating a certificate?

Benaiah Youquoi

Greetings Benaiah! Looking through the code, I can see that you’re absolutely correct in that there isn’t a way to provide an existing certificate thumbprint and store. We have the flags to force HTTPS and HSTS, but no way to connect them. It’s been a while since I’ve done DSC, I’ll see if I can get this fixed.

For clarification, you’re looking for the ability to provide an existing certificate thumbprint and store, correct?

Yes, that is correct. Using both self-signed and existing certificate.

B. Youquoi :slight_smile:

For the Self-signed part, are you meaning having it create a self-signed certificate during the installation process?

Yes, when running the Octopus DSC resource it would be practical if you can choose to generate a self-signed certificate or use an existing certificate as the SSL certificate for enabling https for the web portal.

B. Youquoi :slight_smile:

Got it, thank you for clarifying :slight_smile:

1 Like

Hello Shawn,
I am just checking if there is any update on this issue.

I apologize for the delay, I did manage to get a PR in for it, however, I can only work on it during my spare time. I’ll see if I can get back to it soon.

1 Like

Okay. I have also been working on something. Though we are deploying Octopus through Chef. I have been able to create a new self-signed certificate, get the certificate thumbprint and bind the self-signed certificate in code using the command in the script that shows up when you are doing the manual binding using the information here:https://octopus.com/docs/security/exposing-octopus/expose-the-octopus-web-portal-over-https. The only issue I am getting now is that it seems the certificate has to be selected and installed in the Octopus Manager before it binds properly. So after running my code it does everything but I will not able browse to https://localhost/app#/users/sign-in. I am getting the Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try to connect… message. But when I perform the same process on using the Octopus Manager the self-signed certificate works.

Once you have the certificate, do you first install it into a certificate store? The ssl-certificate command needs to know which store to find the certificate in. Currently, only “My” and “WebHosting” stores are supported. Using Chef, I believe, you can install the self-signed certificate into a store, then use the octopus.server.exe ssl-certificate command to bind it.

Yes, we will first install it to the store then the dsc resource could pick it up. However, we are currently using Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.DnsNameList -Like “zzzzzz” } | Select-Object -ExpandProperty Thumbprint to get the thumbprint that will be used in the certificate binding. We currently have all of this handled. But we are now having an issue with the ForceSSL property. We would like for the ForceSSL to be set as a nullable bool like the AutologinEnabled.
That will enable us to set proper guards for our chef run at the moment while the dsc is being worked on. I also saw the progress you are making with the Pull Request. Thank you very much.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.