Renew instead of new cert (avoid thumbprint change)

Auto “renew” seems to actually create new certificates. Is there a way to get it to do a “real” renew (same private key) so that the thumbprint does not change?

We use octopus to do deployments - we use the same wildcard cert for all dev sites. This allows us to keep track of a single thumbprint within octopus and it binds to the cert with that configured thumbprint. However, we just had our first autorenew, and while it was added to the certificate store, it also has a different thumbprint so it is not being bound in iis (i’m currently using the option to ONLY add the cert to the certificate store and letting octopus do the rest).

Hi, assuming we’re talking about the same thing, the certificate thumbprint is a hash of the entire certificate and includes valid to/from dates so you will never get the same certificate thumbprint (it’s there so the OS can validate that it’s bound to the correct cert).

There are a few people using Octopus with Certify but I don’t know their individual workflows. If you check ‘Show advanced options’ you can add a script (powershell) to do whatever you need with the new certificate (and it’s new thumbprint), so in your case I’d suggest telling Octopus the new thumbprint to use.

The next major release of the app will have new extended deployment options including controlling how deployment (if any) happens outside of the renewal process, so you can renew regularly but only deploy when you want to. I’ll look at an option to preserve CSR private key between renewals but it doesn’t come up that often.

Yes, you’re right, not sure why I thought otherwise.

The problem with updating octopus with the certificate thumbprint is that it still requires a deploy. Ie I can update octopus with the new certificate, but none of the other sites are going to get that certificate until a deploy is done.

I’m thinking I mitigated the issue by enabling “Automatic Rebind of Renewed certificates” in IIS. That should update the sites with the new certificate.

But thank you for pointing out the scripting option - it would make sense if I eventually write a script to update the variable in octopus so that I do not have to remember to do it.

Here’s the powershell script to update an octopus variable with the latest thumbprint:

$certs = Get-ChildItem -path cert:\LocalMachine\My

#$certs | select *

#get the latest cert (identified by subject name in my case) 
$newCert = $certs | ? { $_.SubjectName.Name -eq "CN=*" -and $_.Issuer -eq "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US"} | Sort-Object -Property NotAfter -Descending | Select -First 1


#Server Specific Variables    vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
$octoServer = "http://YourOctopusUrl"

#based on

####    Setup     #####
$ErrorActionPreference = "Stop"
Set-StrictMode -Version Latest;

$currentDir = (Split-Path $script:MyInvocation.MyCommand.Path -parent)
#cd to the current directory - not really necessary, but makes working in mutiple files in the ISE a little easier
Set-Location $currentDir

# You can this dll from your Octopus Server/Tentacle installation directory or from
Add-Type -Path "$currentDir\Octopus.Client.dll"

$endpoint = New-Object Octopus.Client.OctopusServerEndpoint $octoServer,$octoApiKey 
$repository = New-Object Octopus.Client.OctopusRepository $endpoint

####    Modify the "SD.SslThumbprint" value in the "Standard SD Variable Set"   ####
$libraryVariableSet = $repository.LibraryVariableSets.FindByName("Standard SD Variable Set")

$variables = $repository.VariableSets.Get($libraryVariableSet.VariableSetId);

$sslThumbprintVariable = $variables.Variables | ? Name -eq "SD.SslThumbprint"

$sslThumbprintVariable.Value = $newCert.Thumbprint;

#$variables.AddOrUpdateVariableValue("SD.SslThumbprint", "Test")

$response = $repository.VariableSets.Modify($variables);
"Octopus Updated"
1 Like

I did do a test to see if the “automatic rebind” work and it did not. Matters less at this point I suppose since I’m at least updating the thumbprint in octopus and a deployment for ANY site will update the rest of the sites (they share an IP/Port and IIS forces the same cert win SNI is not involved). Maybe I’ll write more powershell to flip them all.

1 Like

Many thanks for sharing your script!