search

OctopusDeploy / Library

| Public | A repository of step templates and other community-contributed extensions to Octopus Deploy
Other
171 stars 503 forks source link

Issue with Lets Encrypt - Cloudflare #1566

Open luis-paulo-silva opened 1 month ago

luis-paulo-silva commented 1 month ago

Step template

Lets Encrypt - Cloudflare

Step version

No response

Octopus version

Any

Step template parameter inputs

No response

What happened

Duplicated certificate entries on the library due to a new CA being introduced and the step not updated

Reproduction steps

Just remove the current CAs (issuers) from the script and you should get the certificates duplicated. Once they are duplicated (3 or 4 times), restore that list and try to update the certificates and get them replaced (it will not work) You have to loop on the existing certificates to update them all to be archived and replaced by the new one. We had this problem because we needed some custom code and the plugin was not up to date but the issue regarding replacing the certificates is still valid.

More Information

No response

luis-paulo-silva commented 1 month ago

Proposed fix:

if ($expiring_certificates) {
        $expiring_certificates_count = $expiring_certificates.Count
        Write-Host "Found $expiring_certificates_count certificates that expire with $($OctopusParameters["LE_Cloudflare_ReplaceIfExpiresInDays"]) days. Requesting new certificates for $($LE_Cloudflare_CertificateDomain) from Lets Encrypt"
        $le_certificate = Get-LetsEncryptCertificate

        # PFX
        $existing_certificates = $certificates | Where-Object { $_.CertificateDataFormat -eq "Pkcs12" }
        $existing_certificates_count = $existing_certificates.Count
        Write-Host "Found $existing_certificates_count certificates to replace. Iterating..."
        $certificate_as_json = Get-ReplaceCertificatePFXAsJson -Certificate $le_certificate
        ForEach ($existing_certificate in $existing_certificates)
        {
          $certificateId = $existing_certificate.Id
          Write-Host "Replacing $certificateId with new certificate"
          Update-OctopusCertificate -Certificate_Id $existing_certificate.Id -JsonBody $certificate_as_json
        }
    }

Edit: Additionally, if possible (and I'm looking to make it possible) the following array should be fetched from somewhere any time the step starts to avoid these problems. $LE_Cloudflare_Issuers = @("Let's Encrypt Authority X3", "E1", "E2", "R3", "R4", "R5", "R6", "R10", "R11")

Instead of a static thing we should be getting it from an API somewhere.