I know this is ultimately related to https://github.com/OctopusDeploy/Issues/issues/2709, but I’d like to see if there was a known workaround for this particular portion.
I would like to start using OD-managed certificates for my (tenanted) deployments, but want to do it in a ‘phased’ manner. To that end, I’ve updated my process to help accommodate this:
- Added a
EnableOctopusHttpsEndpoint
andOctopusCertificate
Project template variables (checkbox and certificate types, respectively) - Added a new binding to my
Deploy to IIS
step which uses effectively the same steps as my original (thumbprint-based) HTTPS binding. The difference is that it usesCertificate managed by Octopus
(with a reference to the variable above), and is only enabled based onEnableOctopusHttpsEndpoint
.
At this point, let’s say I have one tenant that has an OD managed certificate, and another that uses the thumbprint, both in the same environment. When I go to deploy the release to both of the tenants, I am unable to even start it due to an error
Unable to find certificate with thumbprint [guid]…
It looks like I can put any certificate I want into the tenant variable, but I don’t feel comfortable doing this, as it could potentially deployed when (or to where) it shouldn’t have been.
This doesn’t really happen for other variable types as far as I can tell. Ideally this would be covered by the optional variable template, but I don’t want to wait for that to start using managed certificates, and it’s impossible for me to obtain all the certificates we are currently using in our deployments (some of them are owned by our customers directly and they manage them, and some are Let’s Encrypt certificates that change on a short timeframe), so making the full switch is effectively impossible.