Renew Lets Encrypt certificate fails with Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'

[IsaacCalligeros95]

Severity

Sev 2

Version

All, excluding 2024.1

Latest Version

Not applicable

What happened?

When auto-renewing SSL certificates with the built in Renew Lets Encrypt certificate certificate renewal fails with the error
Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'

Reproduction

Trigger the Configure Let's Encrypt SSL Certificate in the Octopus configuration section. The task should fail.

Error and Stacktrace

`Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'`

More Information

This happening due to an older certificate in an upstream library, see fszlin/certes#315.

Workaround

The workaround to this issue is to generate the certificate manually, this can be done by

1. Generate a certificate outside of Octopus using LetsEncrypts certbot util.
   There is some documentation on this here: https://certbot.eff.org/instructions?ws=other&os=windows&tab=standard
2. Once you have the Certificate, you can then import it using the Octopus Server cli:
   https://octopus.com/docs/octopus-rest-api/octopus.server.exe-command-line/ssl-certificate

[LarsPedersen]

@IsaacCalligeros95 thanks for the explanation and workaround.

What is the permanent solution to this?

[IsaacCalligeros95]

@LarsPedersen Hey Lars, this issue should have been automatically closed and tagged with the fixed versions sorry about that. This has been fixed in the following versions:
2023.3.13361
2023.4.8334
2024.1.11624
2024.2.2

Are you on one of these LTS versions of Octopus Server or an older version?

[LarsPedersen]

Way older unfortunately. But it is a good reason to upgrade. I'll do that. Thanks for a swift response :-)

[saulohhh]

I have Octopus as a Service in version 2024.2.2075 and I still have this issue

[LarsPedersen]

I upgraded to 2024.1.11966 and was able to enable Lets Encrypt again.

[IsaacCalligeros95]

@saulohhh Given 2024.2.**** I gather you are running on cloud meaning that this is an issue with the Library steps and not the Server Let's Encrypt functionality. I've raised this one internally to get someone with a bit more experience with the steps to take a look, but at a glance, I think this will be resolved by updating the
$required_posh_acme_version = 3.12.0 and
Install-Module -Name Posh-ACME -MinimumVersion 3.12.0 -Scope CurrentUser -Force
lines to latest (4.21.0).
As I said I'm unfamiliar with the steps and will be waiting for some feedback (likely a day or two), but in the meantime, if you wanted to test the above change, that'd be appreciated.

[Clare-Octopus]

Just an update to the community step templates discussions on this. We have investigated this avenue and we are able to deploy with most of them. (We were not able to test them all) The customer who reached out to us regarding an issue on Octopus Cloud thinks they have resolved the issue but are not able to test yet.

I just wanted to update this thread for anyone else seeing this, you should still be able to use our community step templates for Let's Encrypt but please do reach out to [email protected] if you are a paying customer or using a trial license and we would be happy to help investigate your issue individually.

[tocsoft]

https://octopus.com/docs/security/exposing-octopus/lets-encrypt-integration should be updated to make it clear the minimum versions it references are no longer valid as you can no longer run use the integrated lets encrypt feature on those versions because the integration is broken

[lpodolak]

Upgrading Octopus Deploy to latest version (2024.01) helped in my case!

[Octobob]

🎉 The fix for this issue has been released in:

Release stream	Release
2023.3	2023.3.13361
2023.4	2023.4.8332
2024.1	2024.1.11624
2024.2+	all releases