Trouble with the Import Certificate to Windows Certificate Store step template

Hi,

We’re attempting to use the ‘Import Certificate to Windows Certificate Store’ step template to deploy some SSL certificates to some deployment targets. While the task is straightforward to configure, and deploying the step in a release reports success, no certificate can be found when we search the windows store for the certificate later.

It’s very confusing as the deployment log reports success. So the certificate must be somewhere?!

Here is an obfuscated version of the verbose deployment log.

Octopus Server version: 2018.9.17+Branch.master.Sha.9e332cbb3a61d59f7f14c94196e6c4ed481b10a3 
Environment Information:
  OperatingSystem: Microsoft Windows NT 10.0.14393.0
  OsBitVersion: x64
  Is64BitProcess: True
  CurrentUser: NT AUTHORITY\SYSTEM
  MachineName: AWS-PRDBIBUILD
  ProcessorCount: 4
  CurrentDirectory: C:\Windows\system32
  TempDirectory: C:\Windows\TEMP\
  HostProcessName: Octopus.Server
  PID: 10144 
Starting C:\Windows\system32\WindowsPowershell\v1.0\PowerShell.exe in working directory 'C:\Octopus\Work\20190206171239-30376-191' using 'Western European (DOS)' encoding running as 'DOMAIN\USERNAME' with the same environment variables as the launching process 
Octopus Deploy: Calamari version 4.10.0 
Environment Information: 
  OperatingSystem: Microsoft Windows NT 10.0.14393.0 
  OsBitVersion: x64 
  Is64BitProcess: True 
  CurrentUser: DOMAIN\USERNAME
  MachineName: SERVERNAME
  ProcessorCount: 8 
  CurrentDirectory: C:\Octopus\Work\20190206171239-30376-191 
  TempDirectory: C:\Users\USERNAME\AppData\Local\Temp\ 
  HostProcessName: Calamari 

Importing certificate 'CN=*.DOMAIN.com' with thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' into store 'LocalMachine\My' 
Imported certificate 'CN=*.DOMAIN.com' into store 'My' 
Imported certificate 'CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US' into store 'CA' 

Process C:\Windows\system32\WindowsPowershell\v1.0\PowerShell.exe in C:\Octopus\Work\20190206171239-30376-191 exited with code 0 
Successfully finished Load Certificate on SERVERNAME

There are no errors, just a report of the successful import of the certificate.

Any assistance on where to look would be great.

Cheers,
Cameron

Hi Cameron,

Thanks for getting in touch.

Would you mind adding the following PowerShell as a script step following the “install certificate” step and seeing if the certificate shows up there?

Get-ChildItem cert:\LocalMachine\My -recurse

Cheers,
Shane

On the deployment target machine, I have executed that powershell query against the certificate store and it didn’t return any results. I changed the root search folder and trawled through the full results and couldn’t find it. I ran the same query as different users, and administrators too with no sign of it.

I am able to manuall import the certificate if I use powershell (as an admin) on the target server.
Eg: Import-Certificate -FilePath C:\cert\test.cer -CertStoreLocation Cert:\LocalMachine\My

The strange part about this is that nothing seems to happen at all. No errors, or results. Is there a way to inspect a more detailed log or verbose output?

This particular certificate is a wildcard domain certificate, although I can’t imagine that would cause any problems as it can be imported manually.

Hi Cameron,

If there was an error during the certificate import it should have been recorded. The certificate import is performed by this piece of code: https://github.com/OctopusDeploy/Calamari/blob/master/source/Calamari.Shared/Integration/Certificates/WindowsX509CertificateStore.cs#L33

We are as stumped as you are why the certificates are not showing up in the store. I’d still recommend running that PowerShell script as a part of the deployment to ensure that it runs in the same context as the import - same user and same machine - just to rule out those possibilities.

Cheers,
Shane

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.