Bug: Template "IIS Website - Delete" removes default SSL certificate if SNI is not used

friss · 21 April 2021 13:43

Hi Support,

Today we encountered a bug on the template “IIS Website - Delete” (version 8).
We have many sites running SSL on a wildcard certificate which are not configured using SNI (Server Name Indication in IIS). IIS will create the ssl-certificate-binding on IP 0.0.0.0 and assigns all the website names to it.

When removing any site the template step removes the default binding because the website name is listed and makes all other sites lose their certificate reference.

I’ve tracked it down to this piece of code:

    Execute-WithRetry {
        Write-Output "Removing SSL Bindings..."
        **Get-Item 'IIS:\SslBindings\' | Get-ChildItem | select $_.Sites | Where-Object { $_.Sites -contains $webSiteName } | Remove-Item**
        Write-Output "Removing Web Bindings..."
        Get-WebBinding -Name $webSiteName | Remove-WebBinding
        Write-Output "Removing web site..."
        Remove-WebSite $webSiteName
    }

There is no check if the website name is the only one on the binding!
If there are others it should not remove it, or leave the default binding intact as a whole.

As a suggestion, my adjustment will skip the default binding as a whole, but checking if the deleted website is the last on the site-collection and only then delete the binding could also work:

    Execute-WithRetry {
    	$binds = @(Get-Item 'IIS:\SslBindings\' | Get-ChildItem | select $_.Sites | Where-Object { ($_.Sites -contains $webSiteName) -and ($_.Hostname -ne $null)})
    	if ($binds.Count -gt 0) {
        	Write-Output "Removing SSL Bindings..."
        	$binds | Remove-Item
        }
        Write-Output "Removing Web Bindings..."
        Get-WebBinding -Name $webSiteName | Remove-WebBinding
        Write-Output "Removing web site..."
        Remove-WebSite $webSiteName
    }

Can you check this step template and publish a new version?

jeremy.miller · 21 April 2021 14:39

Hey @friss,

Thanks for reaching out.

You can actually edit this locally and create a local copy to use.

To do that, go to Library->Step Templates and then click into the IIS Website - Delete template. You should see Save as Copy in the upper right. Once you’ve saved a copy you can edit the script to implement your changes. You will need to delete the old step and create a new one in its place with your local copy you’ve edited.

Once you’ve done that and tested it, if you think it would benefit other users you can actually potentially contribute to our library by following the steps here: Library/CONTRIBUTING.md at master · OctopusDeploy/Library · GitHub

Please let me know if that gets you unstuck or if you have any questions.

Best,
Jeremy

friss · 22 April 2021 08:38

Hi Jeremy,

Already did the above and fixed some projects that used your step; but still the template is buggy in this scenario and all users can have this problem using this step.

I expected Octopus - as owner of these default steps - to fix it, but I will see what I can do to get the fix into the library.

jeremy.miller · 22 April 2021 13:42

Hi @friss,

Thanks for doing that. I want to apologize, as I had bad information on that yesterday. I had a discussion internally today and one of our teams has said that while users CAN contribute if they’d like to, the idea would be if you find a bug in a community step template and let us know about it we can track down the original author or one of our internal teams will triage it themselves.

Once again, I’m sorry I gave you bad information but I’ve notified the rest of my team of this so it won’t happen in the future.

Please let me know if you have any other questions or concerns.

Best,
Jeremy

friss · 22 April 2021 15:32

Hi Jeremy,
The fix is currently under review in github
Danny

system · 23 May 2021 15:32

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.