Powershell to renew a certificate

rippo · May 3, 2019, 8:45am

Hi I am using Octopus delpoy to deploy my codebase but when I backup/restore the bindings using the octopus deploy process step, the certify SSL certs are knocked out. I dont store my certs in Octopus but use Certify.UI.exe

I am using DNS auth https://auth.acme-dns.io
I have a single site with 8 domains pointing to it with 8 certs using SNI

Is it possible to

use certify renew - This only seems to renew certificates that are due for renewal, I have auto renewal set to 30 days
use powershell to reset the bindings and correct certificate?
use powershell to renew regardless whether its due or not?

Either way I need a CLI command to run so I can add as a step to my octopus deploy process.

Can anyone help ta?

rippo · May 3, 2019, 11:18am

Looks like I have solved it ith powershell. After I deploy octpus deploy I can run the following script for all my sub domains. HTH someone else

#Settings
$site = "mydomain.com"
$certUrl = "ssl.mydomain.com"
$ip = "*"
$bindingInfo = -join($ip, ":443:", $certUrl)

#Get Thumbprint from cert stor
$thumbprint = Get-ChildItem -Path Cert:\LocalMachine\My |
where-Object { $_.FriendlyName -like "*$certUrl*" } |
Select-Object -ExpandProperty Thumbprint

#Check if it exists, if so bin it
$result = $null -ne (get-webbinding | where-object 
   {$_.bindinginformation -eq $bindingInfo})
if ($result) {
  Write-Output "Binding found for $certUrl"
  Remove-WebBinding -HostHeader $certUrl -Name $site -IP $ip 
   -Port 443 -Protocol https
}

#Add web binding
New-WebBinding -HostHeader $certUrl -Name $site -IP $ip -Port 443 -Protocol https 
  -SslFlags 1
#Now get binding
$binding = get-webbinding | where-object {$_.bindinginformation -eq $bindingInfo}
#Add correct cert to binding
$binding.AddSslCertificate($thumbprint, "My")

Write-Output "Reset certificate for $certUrl for thumbprint $thumbprint"

webprofusion · May 4, 2019, 3:50am

Hi,

Thanks, this is a known issue - your octopus deploy may restore the bindings but if you are set to ‘Single Site’ in the deployment tab of certify your SiteID will no longer be valid internally, so renewals will fail to update those bindings when the cert renews. Instead set Deployment to Auto and verify that your Preview says it will update the correct bindings.

There is no current command line option to command a deployment to be repeated (there is in the UI: Show Advanced Options> Other Options> Re-apply certificate bindings) , however in the next major release (4.2.x) we will have a bunch of new deployment related options including the ability to (re)deploy the latest certification for a specific named managed site.via the CLI.

rippo · May 4, 2019, 8:54am

Thanks will try out the auto deployment mode as sugessted as well. Makes sense as octotpus deploy creates a new site which in turn means new site id… gotchya…

thanks