Skip to content
← Product Feedback

What problem could Octopus Deploy solve for you?

Product Feedback

Categories

(thinking…)

Support Letsncrypt for Octopus certificates

Letsncrypt could get more popular with the pass of time. Would it be useful to provide support for automatically renewed thumbprints created by it?

Source: http://help.octopusdeploy.com/discussions/questions/8393

60 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Dalmiro Grañas shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Thomas B commented  ·   ·  Report

    This suggestion should be marked as Completed.

  • James Mc commented  ·   ·  Report

    For those who want to use the workaround and are working with SAN certificates, you can use this slightly modified PowerShell script to search for an appropriate certificate:

    $sanAddress = "[DNS entry]"
    Get-ChildItem Cert:\LocalMachine\My -Recurse | Where-Object {
    $_.NotAfter -gt (get-date) -and $_.NotBefore -le (get-date)
    } | Select-Object -Property Thumbprint,@{
    Name="San";
    Expression={$_.Extensions | Where-Object {$_.Oid.FriendlyName -eq "subject alternative name"}}
    } | Where-Object {
    $_.San.Count -gt 0 -and
    $_.San.Format(1).Contains("DNS Name=$sanAddress")
    } | Select-Object -ExpandProperty Thumbprint

  • Sam “Betty” McKoy commented  ·   ·  Report

    Found a work around - powershell step to find the thumbprint.

    $thumbprint = get-childitem cert:\localmachine\webhosting -Recurse | where { $_.subject.StartsWith("CN=blah.blah") } | where { $_.notafter -gt (get-date) } | select -expandproperty Thumbprint

    Set-OctopusVariable -name "ThumbPrint" -value "$thumbprint"

  • Anonymous commented  ·   ·  Report

    octopus deploy always kills my letsencrypt settings. if there is no built-in support for LetsEncrypt, then at least there needs to be an option to disable cert update. i tried to disable the binding, as the comment states the binding shouldn't get updated. but apparrantely it gets updated...

  • Shaun Little commented  ·   ·  Report

    Guys, could we at least have the option to retain current bindings until full support for LetsEncrypt is available?

  • Rory Primrose commented  ·   ·  Report

    Support for Let's Encrypt should also apply to the Octopus Server itself. I would like to see Octopus Server renew its own certificate to make it more hands-off.

    I also use the same certificate for the RDP session. Bonus points for OD server setting the RDP thumbprint to the renewed certificate from Let's Encrypt.

  • Thomas B commented  ·   ·  Report

    I agree with Sam : a more generic solution should be to allow binding a certificate by name instead of thumbprint. And if multiple certificates match, should use the most recent one.

  • Sam “Betty” McKoy commented  ·   ·  Report

    Instead of specific support for Letsencrypt maybe it makes sense to be able to bind certificates via name instead of just thumbprint? That way we don't need to update octopus whenever we get new certs, no matter where the cert is sourced from.