[3.2.3] SSL Certificate binding bug

After upgrading to 3.2.3 i get the following error when deploying an IIS site with a SSL certificate. Dowgrading to 3.2.2 it works again - so a bug has been introduced in 3.2.2

Finding SSL certificate with thumbprint XXXX
09:46:28Info
Found certificate: CN=*.blah.com, OU=x, OU=x, OU=Domain Control Validated in: WebHosting
09:46:29Info
Adding a new SSL certificate binding…
09:46:29Info
The parameter is incorrect.
09:46:29Info
Attempt 1 of 5 failed: ScriptHalted
09:46:29Info
Waiting for 3 seconds before retrying…
09:46:32Info
Retrying…
09:46:32Info
Adding a new SSL certificate binding…
09:46:32Info
The parameter is incorrect.
09:46:32Info
Attempt 2 of 5 failed: ScriptHalted
09:46:32Info
Waiting for 3 seconds before retrying…
09:46:35Info
Retrying…
09:46:35Info
Adding a new SSL certificate binding…
09:46:35Info
The parameter is incorrect.
09:46:35Info
Attempt 3 of 5 failed: ScriptHalted
09:46:35Info
Waiting for 3 seconds before retrying…
09:46:38Info
Retrying…
09:46:38Info
Adding a new SSL certificate binding…
09:46:38Info
The parameter is incorrect.
09:46:38Info
Attempt 4 of 5 failed: ScriptHalted
09:46:38Info
Waiting for 3 seconds before retrying…
09:46:43Info
Retrying…
09:46:43Info
Adding a new SSL certificate binding…
09:46:43Info
The parameter is incorrect.
09:46:43Error
ScriptHalted
09:46:43Error
At E:\Octopus\Applications\Extern_Services_Production\X\2015.11
09:46:43Error
.33.0_4\Octopus.Features.IISWebSite_BeforePostDeploy.ps1:248 char:6
09:46:43Error

•                 throw
  

09:46:43Error

•                 ~~~~~
  

09:46:43Error
+ CategoryInfo : OperationStopped: ( [], RuntimeException
09:46:43Error
+ FullyQualifiedErrorId : ScriptHalted
09:46:43Error
09:46:43Error
Script ‘e:\Octopus\Applications\Extern_Services_Production\x\2015.11.33.0_4\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’ returned non-zero exit code: 1
09:46:43Error
Running rollback conventions…
09:46:43Error
Script ‘e:\Octopus\Applications\Extern_Services_Production\x\2015.11.33.0_4\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’ returned non-zero exit code: 1
09:46:43Error
The remote script failed with exit code 1

We’re getting the same issue. Here’s our log:

e | Creating ‘D:\Websites\projectname\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’ from embedded resource
13:28:45 Verbose | Executing 'D:\Websites\projectname\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’
13:28:47 Info | http/:80:projectname.spawtz.com//True/false|https/:443:projectname.spawtz.com/3a474e38839ee62f9241d55d370a46dd2f0ae906/True/True|http/:80:www.projectname.spawtz.com//True/false|https/:443:www.projectname.spawtz.com/3a474e38839ee62f9241d55d370a46dd2f0ae906/True/True
13:28:47 Info | Finding SSL certificate with thumbprint 3a474e38839ee62f9241d55d370a46dd2f0ae906
13:28:47 Info | Found certificate: CN=.spawtz.com, OU=Domain Control Validated - RapidSSL®, OU=See www.rapidssl.com/resources/cps ©15, OU=GT18373439 in: My
13:28:47 Info | Adding a new SSL certificate binding…
13:28:47 Info | The parameter is incorrect.
13:28:47 Info | Attempt 1 of 5 failed: ScriptHalted
13:28:47 Info | Waiting for 3 seconds before retrying…
13:28:50 Info | Retrying…
13:28:50 Info | Adding a new SSL certificate binding…
13:28:50 Info | The parameter is incorrect.
13:28:50 Info | Attempt 2 of 5 failed: ScriptHalted
13:28:50 Info | Waiting for 3 seconds before retrying…
13:28:53 Info | Retrying…
13:28:55 Info | Adding a new SSL certificate binding…
13:28:55 Info | The parameter is incorrect.
13:28:55 Info | Attempt 3 of 5 failed: ScriptHalted
13:28:55 Info | Waiting for 3 seconds before retrying…
13:28:57 Info | Retrying…
13:28:57 Info | Adding a new SSL certificate binding…
13:28:57 Info | The parameter is incorrect.
13:28:57 Info | Attempt 4 of 5 failed: ScriptHalted
13:28:57 Info | Waiting for 3 seconds before retrying…
13:29:00 Info | Retrying…
13:29:00 Info | Adding a new SSL certificate binding…
13:29:00 Info | The parameter is incorrect.
13:29:00 Error | ScriptHalted
13:29:00 Error | At
13:29:00 Error | D:\Websites\projectname\Octopus.Features.IISWebSite_BeforePostDeploy.ps1:248
13:29:00 Error | char:6
13:29:00 Error | + throw
13:29:00 Error | + ~~~~~
13:29:00 Error | + CategoryInfo : OperationStopped: ( [], RuntimeException
13:29:00 Error | + FullyQualifiedErrorId : ScriptHalted
13:29:00 Verbose | Deleting 'D:\Websites\projectname\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’
13:29:00 Error | Script ‘D:\Websites\projectname\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’ returned non-zero exit code: 1
13:29:00 Error | Running rollback conventions…
13:29:00 Verbose | Adding journal entry:
13:29:00 Verbose |
13:29:00 Error | Script ‘D:\Websites\projectname\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’ returned non-zero exit code: 1
13:29:00 Error | The remote script failed with exit code 1

And here is the IIS binding section:

Bindings
×
Protocol: http
Port: 80
Host: #{DomainName}
Edit
×
Protocol: https
Port: 443
IP Address: *
Host: #{DomainName}
SSL certificate thumbprint: #{SSLThumbPrint}
Require Server Name Indication (SNI): true
Edit
×
Protocol: http
Port: 80
IP Address: *
Host: www.#{DomainName}
Edit
×
Protocol: https
Port: 443
IP Address: *
Host: www.#{DomainName}
SSL certificate thumbprint: #{SSLThumbPrint}
Require Server Name Indication (SNI): true
Edit

Same issue here. The problem seems to be the change isn’t backwards compatible with HTTPS bindings. Logs and config similar to above.

As a workaround, making a change to the binding, saving, reverting the change and saving again resolves the issue.

Same here. I can confirm that changing the binding, saving, changing back and saving again fixes it.

Thanks for bringing this issue to our attention guys. Looks like one of the code flows through the IIS setup wasn’t fully tested for backwards compatibility.
Our sincere apologies for the inconvenience and we are looking into a fix we we speak. In the meantime the workaround as suggested by Matt & Kaylee should do the trick.
Thanks for your patience,
Rob

Just a heads up that a fix for this has been included in the next 3.2.4 release to go out in the next few days.
Thanks again,
Rob

Thanks Rob. The workaround worked.

The workaround isn’t working for me. What kind of changes did you make to the binding settings? Did you just save the binding, or the whole process step, too?

Jake,
To change and save the binding you have to save the step itself. Perhaps there is a bit of a naming problem with the Save button on the bindings modal, you you then need to save the step itself.
Cheers,
Rob

That’s still not working. I even tried removing the ssl binding altogether. If I do that, I can get it to deploy. But when I add it back in and create another release I get the same error.

I got it to work. This time I edited the ssl binding, toggled the checkboxes for Require SNI and Enabled. Saved. Saved the process step. Then edited it again, toggled both checkboxes back. Then it worked.

In case it helps…
The deploy log during the failures included this at the top of the deploy IIS site step (thumbprint, site, and server name removed):
http/:80:sales.phidev.com//True/false|https/:443://True/False
Finding SSL certificate with thumbprint
Found certificate: CN=WMSvc- in: Root

When it started working, it looks like this:
[{“protocol”:“http”,“ipAddress”:"",“port”:“80”,“host”:".com",“thumbprint”:"",“requireSni”:false,“enabled”:true},{“protocol”:“https”,“ipAddress”:"",“port”:“443”,“host”:"",“thumbprint”:"",“requireSni”:false,“enabled”:true}]
Finding SSL certificate with thumbprint
Found certificate: CN=WMSvc- in: Root

Also, while I was having the problem, the Require SNI checkbox was huge! Then eventually it was normal sized and that’s when it finally worked.

I’m having the same problem with another project and I can’t get it to work - even following the steps that worked for the last one.

RequireSNI.PNG881×655 22.4 KB

We upgraded to 3.2.4 this morning and it fixed our issue.