Issue when removing an SSL cert

jacob.nelson's Avatar

jacob.nelson

13 Apr, 2017 09:08 PM

When removing an HTTPS bindings that is bound to all IPs ('*'/' '/'0.0.0.0') it clears the cert from all other HTTPS bindings on the same port, leaving them with no cert, breaking HTTPS.

The issue occurs when this line from Calamari is executed: https://github.com/OctopusDeploy/Calamari/blob/d289c5d950022dd60cc9...

So this gets executed: netsh http delete sslcert ipport="0.0.0.0:443" and all of the bindings that used that cert gets cleared and are left without a cert on the binding breaking SSL.

Here is what it looks like in the logs:

14:00:12   Verbose  |       Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12   Info     |       Comparing existing IIS bindings with configured bindings...
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted1.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted2.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted3.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted4.domain.com
14:00:12   Info     |       Found existing non-configured binding: https *:443:env-redacted1.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:env-redacted1.domain.com
14:00:12   Info     |       Existing IIS bindings do not match configured bindings.
14:00:12   Info     |       Clearing IIS bindings
14:00:12   Info     |       Assigning binding: http *:80:redacted.domain.com
14:00:12   Info     |       Assigning binding: https *:443:redacted.domain.com
14:00:12   Info     |       Removing unused SSL certificate binding: 0.0.0.0:443
14:00:12   Info     |       SSL Certificate successfully deleted
14:00:12   Info     |       0
14:00:12   Verbose  |       Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12   Info     |       Anonymous authentication enabled: True
14:00:12   Info     |       Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/REDACTED" at configuration commit path "MACHINE/WEBROOT/APPHOST"
14:00:12   Info     |       0

Since *:443:env-redacted1.domain.com is *:443 when it tries to remove that bindings , it clears all of the bindings, since several other bindings are also on *:443.

I think this issue only started when I started using Octopus Deploys new built in certificate store to apply my certs to the bindings.

  1. 1 Posted by Brent Farmer on 14 Apr, 2017 06:00 PM

    Brent Farmer's Avatar

    I am facing a similar issue with version 3.12.4 and earlier. I am not using the new Octopus built in certificate store. We have a wildcard cert that is bound to ('*'/' '/'0.0.0.0') port 443 for multiple websites. When changing an existing website IP Address binding from ('*'/' '/'0.0.0.0') in the "Deploy IIS Website" step, the "Removing unused SSL certificate binding" action is removing the cert binding from all websites; taking those sites down.

  2. Support Staff 2 Posted by Henrik Andersso... on 18 Apr, 2017 06:20 AM

    Henrik Andersson's Avatar

    Hi,

    Thanks for getting in touch, and I'm sorry you have run into this bug.

    I've raised this GitHub issue to have it investigated as soon as possible.

    Again, my apologies for the inconvenience caused by this bug.

    Thank you and best regards,
    Henrik

  3. 3 Posted by jacob.nelson on 19 Apr, 2017 09:49 PM

    jacob.nelson's Avatar

    Thanks for the response. I went ahead and created a Pull Request that would fix this issue.

    https://github.com/OctopusDeploy/Calamari/pull/184

  4. Support Staff 4 Posted by Henrik Andersso... on 20 Apr, 2017 06:29 AM

    Henrik Andersson's Avatar

    Hi Jacob,

    Thank you for taking the time to send through that PR, like I mentioned on GitHub we're working on a solution for your situation and the other scenarios customers had issues with. This fix is currently in review and should be ready to merge in the next day or so.

    Thank you,
    Henrik

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

25 Apr, 2017 04:28 PM
25 Apr, 2017 04:08 PM
25 Apr, 2017 04:04 PM
25 Apr, 2017 03:43 PM
25 Apr, 2017 03:39 PM

 

25 Apr, 2017 03:31 PM
25 Apr, 2017 03:28 PM
25 Apr, 2017 03:11 PM
25 Apr, 2017 02:54 PM
25 Apr, 2017 02:27 PM
25 Apr, 2017 01:17 PM