Octopus Server full chain cert update - fails with private on CA


We need to renew our OD server certs, but when trying to do this using Octopus Manager the server fails to come up, with no specific errors in the log.

When trying to import the cert, there is a more specific error (below), whereby it’s trying to find the private key from the CA at the start of the chain.

This didn’t happen last time we renewed, so is there a new requirement for (CNG?) certs, or fix needed? We are on v2020.3.2

E:\Octopus>Octopus.Server.exe import-certificate --from-file=“C:\temp\octopus-it-test.uk.corp.investec.com-v2.pfx” --pfx-password=“Notbell1234!” --console
Importing the certificate stored in PFX file in C:\temp\octopus-it-test.uk.corp.investec.com-v2.pfx using the provided password…
PFX file C:\temp\octopus-it-test.uk.corp.investec.com-v2.pfx contains multiple certificates, taking the first one.
The X509 certificate CN=Investec ICA01, DC=INVESTEC, DC=CORP was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name

Hi @ukitapps,

First of all welcome to the Octopus forums!

Thanks for reaching out.

Is this regarding the web portal certificate? If so, can you take a look at the documentation here and make sure you’ve followed the process? https://octopus.com/docs/security/exposing-octopus/expose-the-octopus-web-portal-over-https

If it’s not that, it may be that we handle certificate chains in a different way than might be expected. The way that Octopus handles full certificate chains of trust is actually to just import the last certificate in the chain plus the private key. The client side is expected to have the rest of the chain of trust in the certificate store.

Could you please give those a shot and let me know if it works for you?


This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.