Unable to import certificate pfx with chain

reliability
(Barrie Campbell) #1

I have a pfx file I would like to load as a certificate to deploy to our Kubernetes clusters as a TLS secret. I apparently cannot import a certificate with an intermediate chain, and the private key. The key exists for the leaf cert, but obviously not for the chain certs. I don’t have control over the ordering of the bags, as this cert was sent from the CA as-is. The first cert in the pfx is not the leaf cert, so the import looks for the intermediate private key and fails.

Installing the bare cert, with out the intermediate will not work, as the final location on the k8s cluster will need the full certificate chain, not just the leaf cert.

Error from octopus.server.exe:

Importing the certificate stored in PFX file in C:\Users*.pfx using the provided password…
PFX file C:\Users*
.pfx contains multiple certificates, taking the first one.
The X509 certificate CN=xxxxxxxx, O=xxxxx, C=US was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name

Unable to load X509 Certificate file. The X509 certificate file you provided does not include the private key. Please make sure the private key is included in your X509 certificate file and try again.
System.Security.Cryptography.CryptographicException
at Octopus.Shared.Security.Certificates.CertificateEncoder.FromPfxFile(String pfxFilePath, String password)
at Octopus.Server.Commands.ImportCertificateCommand.Start()
at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions)
at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown)
at Octopus.Shared.Startup.OctopusProgram.RunHost(ICommandHost host)
at Octopus.Shared.Startup.OctopusProgram.Run()

Terminating process with exit code 100
Full error details are available in the log files at:
C:\Users\AppData\Local\Octopus\Logs
D:\Octopus\Logs
If you need help, please send these log files to https://octopus.com/support

May be related to https://github.com/OctopusDeploy/Issues/issues/3212

(Michael Richardson) #3

Hi Barrie,

The Octopus.Server.exe import-certificate command is for importing the certificate which the Octopus server will use for secure communications with Tentacles. I don’t think this is what you want here.

For certificates which will be used as part of your deployments, like for kubernetes TLS, you want to import into the Octopus certificate library. This document explains the certificate library, and specifically how to add a certificate via the portal.

Please don’t hesitate to reach out if that doesn’t point you on the right track.

(Barrie Campbell) #4

When I attempt to import via the portal, the private key is not imported.

(Barrie Campbell) #5

Seems like I may be seeing: https://github.com/OctopusDeploy/Issues/issues/5426

(Michael Richardson) #6

From your telemetry I can see you are on version 2019.3.1, so it is quite possible you are suffering from that issue.

It was resolved in 2019.4.1, so if you upgrade the problem should be resolved. If not, please let us know.

We do apologize for the inconvenience.

(Barrie Campbell) #7

I think we are doing an upgrade tonight. I will let you know if it is still an issue.

Ultimately, I am having trouble pushing the cert as a secret to our K8 cluster. I may still have issues when I get the cert in, but I don’t trust that the cert is correct, so I can’t trust that the issue is in the K8 step.

Thanks
Barrie

(Barrie Campbell) #8

The upgrade to 2019.6.8 LTS resolved my issue

(Michael Richardson) #9

I’m very glad to hear that.
Thanks for the update.