Library icon indicating copy to clipboard operation
Library copied to clipboard
verified publisher icon OctopusDeploy

Issue with Lets Encrypt - Cloudflare

Open luis-paulo-silva opened this issue 1 year ago • 1 comments

Step template

Lets Encrypt - Cloudflare

Step version

No response

Octopus version

Any

Step template parameter inputs

No response

What happened

Duplicated certificate entries on the library due to a new CA being introduced and the step not updated

Reproduction steps

Just remove the current CAs (issuers) from the script and you should get the certificates duplicated. Once they are duplicated (3 or 4 times), restore that list and try to update the certificates and get them replaced (it will not work) You have to loop on the existing certificates to update them all to be archived and replaced by the new one. We had this problem because we needed some custom code and the plugin was not up to date but the issue regarding replacing the certificates is still valid.

More Information

No response

luis-paulo-silva avatar Oct 04 '24 11:10 luis-paulo-silva

Proposed fix:

if ($expiring_certificates) {
        $expiring_certificates_count = $expiring_certificates.Count
        Write-Host "Found $expiring_certificates_count certificates that expire with $($OctopusParameters["LE_Cloudflare_ReplaceIfExpiresInDays"]) days. Requesting new certificates for $($LE_Cloudflare_CertificateDomain) from Lets Encrypt"
        $le_certificate = Get-LetsEncryptCertificate

        # PFX
        $existing_certificates = $certificates | Where-Object { $_.CertificateDataFormat -eq "Pkcs12" }
        $existing_certificates_count = $existing_certificates.Count
        Write-Host "Found $existing_certificates_count certificates to replace. Iterating..."
        $certificate_as_json = Get-ReplaceCertificatePFXAsJson -Certificate $le_certificate
        ForEach ($existing_certificate in $existing_certificates)
        {
          $certificateId = $existing_certificate.Id
          Write-Host "Replacing $certificateId with new certificate"
          Update-OctopusCertificate -Certificate_Id $existing_certificate.Id -JsonBody $certificate_as_json
        }
    }

Edit: Additionally, if possible (and I'm looking to make it possible) the following array should be fetched from somewhere any time the step starts to avoid these problems. $LE_Cloudflare_Issuers = @("Let's Encrypt Authority X3", "E1", "E2", "R3", "R4", "R5", "R6", "R10", "R11")

Instead of a static thing we should be getting it from an API somewhere.

luis-paulo-silva avatar Oct 04 '24 11:10 luis-paulo-silva