SSL thumbprint for Let's Encrypt web sites

I have a process where I deploy an IIS web site to a VM in Azure. Test and prod are on the same VM as and I have Let’s Encrypt SSL certificates in IIS that are updated automatically every three months for the two domains. I can get the current SSL thumbprints by logging in to the server and finding them in IIS manager. I can add them to the binding section of my deployment process using variables. Everything works fine now… but in three months the thumbprint will change when the certificates are automatically updated.

Is there a better way of managing this than going in every three months and grabbing the new thumbprints and updating the Octopus variables? I feel like I am missing a piece of the automation puzzle here?


Thanks for getting in touch.

The certificate management feature in Octopus Deploy works really well when you have certificates that you manage manually, but I can understand how this isn’t quite as smooth when the certificates get updated automatically.

Have you considered pushing the certificate generation into your deployment process? If a new certificate is required, you could use the Lets Encrypt - Create SSL Certificate community step template as the first step in your deployment process to generate the new certificate. You could add the certificate thumbprint of the new certificate to an Output Variable which you reference in your subsequent Deploy to IIS step. Here is another support ticket that talks about some of the same options if you want to read further about how to configure this.

Let me know if this sounds like a good option for you, or if you have any other questions!


Thanks Tom. I have a solution working based on a combination of your suggestion and the previous tickets. In case other people will find it useful this is what I did.

Added a step “Run a script” before my “Deploy to IIS” step that retrieves the current thumbprint. I modified Nick’s Powershell script from a previous ticket and came up with this:

$url = 'CN=' + $OctopusParameters["SiteDomainName"]

$Thumbprint = (Get-ChildItem -Path cert:\LocalMachine\Webhosting `
    | Where-Object {$_.Subject -match $url} `
    | Sort-Object -Property NotAfter -Descending `
    | Select-Object -first 1).Thumbprint

Write-Host "Using certificate with thumbprint: $Thumbprint"

Set-OctopusVariable -name "SSLThumbprint" -value $Thumbprint

I had to add ‘CN=’ because my domains are similar ( and and a simple ‘-match’ was grabbing the wrong one.

Then in the bindings section of the “Deploy to IIS” step I used the output variable declared above for the SSL thumbprint (the step above was called “Get SSL thumbprint”):

#{Octopus.Action[Get SSL thumbprint].Output.SSLThumbprint}

Works as expected and test and production get their own specific certificates.

Thanks again Octopus for a great product.


Glad you got a working solution, it looks like it will work well! And thanks for sharing :slight_smile:

Please don’t hesitate to contact us again if you need help with anything else.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.