Template "Lets Encrypt - Create SSL Certificate" failing with "Exception calling "ShouldContinue" with "2" argument(s): "Windows PowerShell is in NonInteractive mode."

Hi,

I’ve been trying to use some of the Lets Encrypt community templates but I keep getting an error from Powershell when I try to deploy them. I’ve tried the basic Create SSL Certificate and the Route 53 ones.

Any suggestions on what I can do to get these to work would be appreciated.

Log entries below.

10:13:47 Info | Installing ACME PowerShell Module…
10:14:22 Error | NotSpecified: Exception calling “ShouldContinue” with “2” argument(s): “Windows PowerShell is in NonInteractive mode. Read and Prompt functionality is not available.”
10:14:22 Error | At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7392 char:8
10:14:22 Error | + if($Force -or $psCmdlet.ShouldContinue($shouldContinueQueryMessag …
10:14:22 Error | + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10:14:22 Error | at Install-NuGetClientBinaries, C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1: line 7392
10:14:22 Error | at Install-Module, C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1: line 1725
10:14:22 Error | at , C:\Octopus\Work\20200630101331-50733-2\Script.ps1: line 37
10:14:22 Error | at , C:\Octopus\Work\20200630101331-50733-2\Bootstrap.Script.ps1: line 1635
10:14:22 Error | at , : line 1
10:14:22 Error | at , : line 1
10:14:27 Verbose | Process C:\Windows\system32\WindowsPowershell\v1.0\PowerShell.exe in C:\Octopus\Work\20200630101331-50733-2 exited with code 1

The snippet of code that I think is failing:

Write-Host ‘Importing ACME PowerShell Module…’
Import-Module ACMESharp
$BaseService = Get-OctopusSetting BaseService ‘LetsEncrypt’
Write-Host “Initializing ACME Vault for $BaseService…”
Initialize-ACMEVault -BaseService $BaseService -Force

So I’m guessing something about the Import-Module is having issues with the Octopus tentacle runner?

Thanks!

Hi Steve,

Looking at this library template, it looks like it’s a few years old, and looks to be using an out-of-date powershell module here. Our team will take a look into this in the near future and get it update to use a more up-to-date module like our more-recent additions.

Alternatively, all of our library templates are open source, and can be found in our Repo. If you’re so inclined, you can clone the repo, and submit a Pull Request to update the template.

Hi @Steve1

The error you are running into is actually to do with the PowerShell Module needing to be downloaded using the Nuget package provider. Even if we did look into fixing that, you’d then come across another more fundamental issue.

As Justin mentioned, the library makes use of a PowerShell module called ACMESharp which only supports v1 of the ACME standard, which has since been deprecated and won’t work - only v2 works now.

Can I get some more information as to how you are trying to use the step template Lets Encrypt - Create SSL Certificate?

Are you running it from a deployment target which has the site you wish to create an SSL certificate for?

Some of the newer step templates use a PowerShell Module called Posh-Acme.

This supports 2 main methods to verify an SSL certificate request:

  1. Use a TXT DNS record for the domain you wish to have the SSL cert for. This is how our newer Let’s Encrypt step templates work.
  2. Manually verify the DNS record, which unfortunately can’t be integrated into a step-template as the manual verification requires user input to press a key to start the verification process.

If you host your DNS with one of the providers in our supported Step templates, you should be able to generate a certificate and store it in Octopus, which would be my recommendation in this instance.

The module does offer an alternative, which would work on Windows which is similar to the original step template you had, but it is only supported on Windows and has some pre-requisites - you can see more about them here.

Look forward to hearing from you!

Best Regards
Mark

Many thanks @Justin_Walsh and @mark.harrison for the excellent speedy replies

At this stage I’m trying to figure out how the Lets Encrypt thing works with Octopus deployments so playing with a few random templates. DNS updates via an API is not possible at this stage but maybe possible going forward if we can find a way that works (currently using 20+ SSL certs a year - different domains, I’m sure a change to Route53 can be encourage if we can get rid of that overhead!).

Hence looking through the templates on our Octopus cloud instance and I found the “Create SSL Certificate” option which looked like it would be the best bet (little did I realise V1 was no more).

Here’s what I’d like to do:

  • Normal ‘Deploy to IIS’ with http/https bindings
  • Somehow a certificate is assigned during that process
  • That certificate is kept up to date automatically
  • I would be able to manually add the required DNS entries

For now I may be able to fake the a domain in Route53 and then manually transfer over the entries to the current DNS providers if that gets it working and lets me use the newer Route53 template version (I can use a test domain for proof of concept for now)

Coming at it with no experience of Lets Encrypt has left me unsure as to how the things are supposed to work and combine that with the traditional way for Octopus to deploy an IIS site (add binding for https requires a certificate when defining the process, which if that certificate is made post deployment obviously isn’t available when I’m defining the process, hence unsure what’s the best / usual way to handle this).

The description in the Lets Encrypt - Route53 template doesn’t help me understand how I’m supposed to use the step as part of the deployment process, hence somewhat confused right now. For example:

  • Do I run it on its own to make the desired certificate, have it add that to Octopus then reference that in my deployment process?
  • Does it run on the deployment target the certificate goes on or any target?
  • Can I run it pre-deployment in the same process and have the cert magically appear (which presumably requires some faking for me to setup the deploy to IIS process to handle)
  • Or can I run it post deployment to assign to the website? (I assume not as it’s not looking for the IIS Site name)
  • What happens about expiry - do we need to re-deploy the project that uses the certificate before the certificate expires, does it update automatically, Or can I run the template on its own on the target and have that update the certificate?

It’snot obvious to know what happens on the deployment target with regards to the certificate being renewed (esp. if the certificate is just deployed there and nothing is running the Lets Encrypt side of things).

I had a dig around hoping for an Octopus blog post about using Lets Encrypt but all I found was using it as part of the Octopus portal install itself, so here I am, confused, randomly clicking buttons hoping I might make something work :slight_smile:

Anyway, I shall go away and have a play with the Route53 version and see how I get on.

Thanks for all your help!

Hi @Steve1,

Thanks for the additional information :slight_smile:

I’ve been working on a step-template using Posh-Acme which will run on the target server (using the self-hosted http listener I mentioned earlier).

It’s not “production” ready yet, but I’d be happy to share it with you if you’d like to try it out, in case it saves you some time before going down the Route53 path?

We can also arrange a call to discuss how Let’s Encrypt works with Octopus and how you can use it’s functionality to manage your certificates when they are due to expire etc.

Our of interest, how often do you deploy the websites to IIS? Is it more often than every 90 days.

Cheers, Mark

Hi @Steve1

Further to my previous reply, I have had a step template published to the Community Library.

You can see it here -> https://library.octopus.com/step-templates/e3614dd6-3a78-4220-97f0-b0e44415e58c/actiontemplate-lets-encrypt-self-hosted-http-challenge

The idea behind this step template is that it can be used to generate an SSL certificate on the deployment target which will be listening for the address you wish to secure.

You can import the certificate to the local store (windows only), export it to a file or have it automatically update it in the Octopus Certificate store if there are any certificates due to expire within N days (you can specify it as a parameter).

In terms of how to automate this step template, I’d consider:

  • a runbook in each project which requires an SSL certificate, scheduled to run monthly.
  • the runbook would run on each deployment target, and you would either hard-code, or better still have a project variable which determines the domain which needs an SSL certificate.
  • the step would update the octopus certificate store with any certificates which need updating
  • the project could have a deployment process which references any certificates needed as a certificate variable and then you could use this to deploy to IIS with a HTTPs binding.

I hope that helps!

Thanks, Mark