I’m trying to configure our previously internal-only Octopus server to be available with HTTPS through the firewall. I started on the process of Let’s Encrypt, but once I discovered we don’t have port 80 available, abandoned that path.
I’ve tried to add a new certificate manually, but during the Web Bindings Wizard in the admin app, the logs show the following:
Web force SSL: False
These changes require a restart of the Octopus Server.
Web listen prefixes: *** REMOVED ***
Checking the Octopus Master Key has been configured.
Making sure it’s safe to upgrade the database schema…
Checking to see if database schema upgrade is required…
Database already has the expected schema. No changes are required.
Failed to determine whether the Octopus Portal SSL certificate has changed. If you have modified this binding to use a custom (non Let’s Encrypt) certificate, please manually disable the Let’s Encrypt integration.
System.Exception: Error while executing SQL command in transaction ‘BuiltInTeamInitializer’: The UPDATE permission was denied on the object ‘UserRole’, database ‘Octopus’, schema ‘dbo’.
The command being executed was:
UPDATE dbo.[UserRole] SET [Name] = @Name, [JSON] = @JSON WHERE Id = @Id —> System.Data.SqlClient.SqlException: The UPDATE permission was denied on the object ‘UserRole’, database ‘Octopus’, schema ‘dbo’.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
…
These changes require a restart of the Octopus Server.
Stopping service…
Waiting for service to become Stopped. Current status: StopPending
Waiting for service to become Stopped. Current status: StopPending
Waiting for service to become Stopped. Current status: Stopped
Service stopped
Waiting for service to start. Current status: StartPending
Waiting for service to start. Current status: Running
Service started
The key bit seems to be that I need to remove the Let’s Encrypt configuration (but maybe there is a SQL problem too). How do I remove the Let’s Encrypt config and ensure that Octopus picks up the newly installed certificate?
Are you able to have a look at the Let’s Encrypt page on your Octopus Instance, you can find it by browsing to Configuration > Let’s Encrypt. Hopefully when you are on that page you should see a Disable button (shown below). If not please let me know so we can investigate further!
I tried setting up a self signed certificate after the failed attempt at Let’s Encrypt, and it appears that is being used despite subsequently adding a trusted certificate:
You should be able to confirm which certificate is bound to which port by running netsh http show sslcert, that should assist in identifying which certificate is currently bound to port 443 for Octopus.
The next step (assuming the certificate you want is already in your certificate store is to set the certificate that Octopus will trust:
I’ve removed the self-signed certificate binding, and deleted the old self-signed certificate. The Web Portal Bindings window still shows it when I try to create a new binding with the correct certificate. I’ve searched the certificate store and it’s definitely gone, but Octopus seems to still think it is there.
netsh http show sslcert shows no certificate bindings.
How can I force Octopus to forget the old certificate and take note of the new one when I add it?
I’m going to ask you to do a little spelunking in your Database at this point, so if you can make sure you take a backup that would be greatly appreciated. The first thing I’d like you to check is the letsencrypt status, if you can run the following SQL and let me know the results:
SELECT *
FROM Configuration
Where id = 'letsencrypt'
If this is OK you should see the following JSON returned: {"Enabled":false,"RegistrationEmailAddress":null,"DnsName":null,"HttpsPort":443,"IPAddress":null,"Path":null,"AcceptLetsEncryptTermsOfService":false,"LastRenewDate":null,"CertificateExpiryDate":null,"CertificateThumbprint":null}
Can you also please attach your OctopusServer.config file (C:\Octopus by default) so I can have a look at what is set there. I’ve marked this conversation as private so that only Octopus staff will be able to see the files.
Thanks Andy, hopefully this will give us some more clues as to what has gone wrong.
I’ve gotten this working, there were a few issues. When I created the self-signed certificate it was added to the Local Computer store. When I was adding my real certificate I was accidentally in the Current User store. So even though I thought I had deleted the certificate, it was still there in a different location, with the same name.
I also spent some time to discover that the certificate files I have do not contain private keys that Octopus expects, and I needed to use openssl tools to make a PFX files. Unexpected learning curve…
So the error message shown in the Octopus dialog seems to be harmless.
Anyway, I think the problems are solved so tomorrow I will try and get push into Octopus from outside the firewall. Thanks for your assistance.
