Thanks for reaching out! I could imagine it would be an enormous task to update the SSL thumbprints each time your certificates get renewed. One option which comes to mind could be to insert a new step at the beginning of your deployment. With the new step you could make a request out to lets encrypt to generate a new lets encrypt certificate and install it into the local certificates store. While in this step, you could save various details about the newly installed certificate, like it's thumbprint as a variable made available to subsequent steps in your deployment. Please see our Fun with variables blog for more details.
When you're ready to configure the bindings further down in your deployment you could reference the thumbprint variable you just created. While I haven't personally tested the Lets Encrypt - Createt SSL Certificate community step template, it's possible this might be able to help you!
When you say "make a request out to lets encrypt" do you mean using the Lets Encrypt - Create SSL Certificate community step and then passing on the variables? Because i don't see a way to pass on variables from the step itself?
Thanks for keeping in touch! I had a brief look at the script source of the Lets Encrypt - Create SSL Certificate and while it currently doesn't have the ability to save the Octopus variable for the certificate thumbprint you're welcome to view the source code and add that functionality in, you can then import your own version of this template into your Octopus server. Please check out our documentation for more information on Importing step templates from the community
One possible way to do this would be to download the step template, then modify the PowerShell script to include this line towards the bottom:
Thanks again, for some great feedback. I actually got it working last night - without the ekstra community step.
On each of our servers i use letsencrypt-win-simple to generate a SAN certificate for all sites with all domains and subdomains, so that i'll only have to deal with 1 certificate per. server. Using the app also let's you test configs before actually issuing certificates - keeping you from reaching that weekly limit. When the certificate has been issued it creates a task to renew the certificate every X days.
The certificate is put in in Web Hosting instead of Person which means that i can fairly safely assume that it's the only available certificate (this is important later).
You're absolutely right, Richard. That is a very valid step to add to this whole mess, and exactly what i have in my next step as well.
I'm glad to have helped and i appreciate that you could improve on my writeup.