Issue when removing an SSL cert

jacob.nelson's Avatar

jacob.nelson

13 Apr, 2017 09:08 PM

When removing an HTTPS bindings that is bound to all IPs ('*'/' '/'0.0.0.0') it clears the cert from all other HTTPS bindings on the same port, leaving them with no cert, breaking HTTPS.

The issue occurs when this line from Calamari is executed: https://github.com/OctopusDeploy/Calamari/blob/d289c5d950022dd60cc9...

So this gets executed: netsh http delete sslcert ipport="0.0.0.0:443" and all of the bindings that used that cert gets cleared and are left without a cert on the binding breaking SSL.

Here is what it looks like in the logs:

14:00:12   Verbose  |       Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12   Info     |       Comparing existing IIS bindings with configured bindings...
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted1.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted2.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted3.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted4.domain.com
14:00:12   Info     |       Found existing non-configured binding: https *:443:env-redacted1.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:env-redacted1.domain.com
14:00:12   Info     |       Existing IIS bindings do not match configured bindings.
14:00:12   Info     |       Clearing IIS bindings
14:00:12   Info     |       Assigning binding: http *:80:redacted.domain.com
14:00:12   Info     |       Assigning binding: https *:443:redacted.domain.com
14:00:12   Info     |       Removing unused SSL certificate binding: 0.0.0.0:443
14:00:12   Info     |       SSL Certificate successfully deleted
14:00:12   Info     |       0
14:00:12   Verbose  |       Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12   Info     |       Anonymous authentication enabled: True
14:00:12   Info     |       Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/REDACTED" at configuration commit path "MACHINE/WEBROOT/APPHOST"
14:00:12   Info     |       0

Since *:443:env-redacted1.domain.com is *:443 when it tries to remove that bindings , it clears all of the bindings, since several other bindings are also on *:443.

I think this issue only started when I started using Octopus Deploys new built in certificate store to apply my certs to the bindings.

  1. 1 Posted by Brent Farmer on 14 Apr, 2017 06:00 PM

    Brent Farmer's Avatar

    I am facing a similar issue with version 3.12.4 and earlier. I am not using the new Octopus built in certificate store. We have a wildcard cert that is bound to ('*'/' '/'0.0.0.0') port 443 for multiple websites. When changing an existing website IP Address binding from ('*'/' '/'0.0.0.0') in the "Deploy IIS Website" step, the "Removing unused SSL certificate binding" action is removing the cert binding from all websites; taking those sites down.

  2. Support Staff 2 Posted by Henrik Andersso... on 18 Apr, 2017 06:20 AM

    Henrik Andersson's Avatar

    Hi,

    Thanks for getting in touch, and I'm sorry you have run into this bug.

    I've raised this GitHub issue to have it investigated as soon as possible.

    Again, my apologies for the inconvenience caused by this bug.

    Thank you and best regards,
    Henrik

  3. 3 Posted by jacob.nelson on 19 Apr, 2017 09:49 PM

    jacob.nelson's Avatar

    Thanks for the response. I went ahead and created a Pull Request that would fix this issue.

    https://github.com/OctopusDeploy/Calamari/pull/184

  4. Support Staff 4 Posted by Henrik Andersso... on 20 Apr, 2017 06:29 AM

    Henrik Andersson's Avatar

    Hi Jacob,

    Thank you for taking the time to send through that PR, like I mentioned on GitHub we're working on a solution for your situation and the other scenarios customers had issues with. This fix is currently in review and should be ready to merge in the next day or so.

    Thank you,
    Henrik

  5. 5 Posted by jacob.nelson on 12 May, 2017 05:37 PM

    jacob.nelson's Avatar

    Hey!

    Just noticing that the pull request to fix this bug (http://help.octopusdeploy.com/discussions/problems/53569-issue-when-removing-an-ssl-cert) has been open for 22 days. Is there a plan to merge this in for a release? This is still causing some large issues in our production environment.

    Thanks for your time! Sorry for pestering!

  6. Support Staff 6 Posted by Henrik Andersso... on 14 May, 2017 11:27 PM

    Henrik Andersson's Avatar

    Hi Jacob,

    Yes, there is a plan to merge it! We've just been redirected to some bigger pieces of work that have taken priority. I'll make sure we get it reviewed early this week so it can be released in the next week or so.

    Sorry for the inconvenience caused by this issue!

    Thank you and kind regards,
    Henrik

  7. Support Staff 7 Posted by Henrik Andersso... on 16 May, 2017 11:25 PM

    Henrik Andersson's Avatar

    Hi Jacob,

    Just wanted to let you know that we've just released 3.13.4 that includes the fix for this issue.

    Thank you and best regards,
    Henrik

  8. 8 Posted by jacob.nelson on 17 May, 2017 09:39 PM

    jacob.nelson's Avatar

    Just installed and tested the update! Thanks for the fix, really appreciate the support you guys provided!

  9. Support Staff 9 Posted by Henrik Andersso... on 17 May, 2017 10:28 PM

    Henrik Andersson's Avatar

    Hi Jacob,

    Great to hear the fix worked out!

    Thank you and warm regards,
    Henrik

  10. Paul Stovell closed this discussion on 23 Aug, 2017 04:32 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac