Should I change the Octopus Deploy Server certificate when enabling https for the UI/API?

security-config
(Bob Walker) #1

I want to enable https on my Octopus Deploy server. I’m a little confused. There is this article to enable https. But then I found this this article on using a custom certificate with tentacles and server. Do I need to do both?

(Bob Walker) #2

You should only follow the steps in this article to enable https. There are two kinds of communication the Octopus Server supports. The first kind is the UI/API over port 80/443 (http/https). This is how users interact with Octopus Deploy.

The second mode of communication is how tentacles communicate with the Octopus Deploy server. That is what the second article coverts.

A bit of background. When you install Octopus Deploy the server will automatically create a certificate. When you install a tentacle it will create a certificate as well. When a tentacle is registered with Octopus Deploy the thumbprints for each certificate are exchanged. You can read more about this here.

If you are curious, you can see the server thumbprint on your server by going to configuration -> thumbprint.

The tentacle will only accept commands from a server it trusts. It does that by verifying the thumbprint of the server. The server will only send commands to tentacles it trusts. It does this by comparing the thumbprint of the tentacle. Changing the thumbprint on the server by following this article breaks that trust. That will require you to run this command on each tentacle to trust the new certificate.