I am deploying a site to a windows server on IIS. I have the SSL cert managed by Octopus
Then in my variables, I have WebCertificate defined.
On deployment, Octopus adds the cert in the localmachine MY store. Yet it then fails to find it in IIS
The thumbprint seems to match that setup in Library > Certificates.
If Octopus is installing the cert, why can it not then find it in IIS? Used this feature a lot and never hit this issue before
Hi Chris,
Thanks for getting in touch!
Just a few things to check.
If you open up MMC and load the Certificates plugin for the local computer, are you able to locate this certificate, and does the thumbprint match the one that is configured in Octopus?
If you open up IIS and Server Certificates, does this one appear in the list at all?
Regards,
Paul
Different casing but otherwise looks the same. Reading a few things about white space in the thubprint as I think Octopus is removing those before uploading, as I think the original cert showed white spaces every 2 characters
And doesn’t show in IIS, I asusme as it that step that is failing?
Hi Chris,
IIS should automatically list any certificates found in the Personal store that it can use. The only time I’ve seen it fail to do this is when using a certificate that didn’t have the private key, and it looks like the one you are using is also missing the private key.
Are you able to import a copy of this certificate to Octopus that includes the private key and try the deployment again?
Regards,
Paul
do you mean via this interface?
I don’t see any options to not upload with a private key
Hi Chris,
It would be an option from wherever you’re exporting or downloading the certificate from originally.
You would aiming to have a .pfx to import into Octopus rather than a .cer file.
Regards,
Paul
I replaced the uploaded certificate, ensuring that I used the pfx and correct password. But my deployments still fail in the same way.
I also tried removing the certificate from the server first, to ensure that Octopus really was importing into local computer -> personal.
After the re-deployment, I see the cert back in the personal folder but still not available in IIS.
There aren’t any manual steps required are there? My assumption is that Octopus is meant to completely manage the process of uploading the cert into the right locations.
Hi Chris,
The process you have set up should work as it is. The Octopus step process is to add the certificate to the cert store, and then use IIS to locate the certificate and link it to your website.
The first part is succeeding, but the problem seems to be that IIS isn’t able to locate or use the certificate being added.
It would be worth testing whether you can manually add the certificate to the target machine, and assign it to your website within IIS. By removing Octopus from the equation this would identify whether there is an issue with the environment/certificate.
Regards,
Paul
I uploaded the pfx into local machine -> my sore. Now all my deployments are passing.
I didn’t add the cert into the IIS store, so Octopus did that part. So its very confusing what is and isn’t working.
When you replaced the certificate in Octopus with the .pfx file.
Did you create a new release or re-deploy a release that had already failed?
I’m wondering if that release had the previous certificate linked to it rather than picking up the new certificate you added.
it was the same release. From what I can tell the certificates live outside of the snapshot as changes seem to get reflected immediately. But this is without knowing how its actually implemented. I could try removing the cert from the server and creating a new release.
It would definitely be worth trying that so we can be certain that it is resolved.
