Calamari doesn't remove WinHTTP ssl bindings when it deletes bindings from IIS website

Hi,

First off, I’m not sure if this is a bug or a feature request - let me know if I should post it somewhere else instead.

In short, when Calamari removes an SSL binding from an IIS website, the binding is left defined in WinHTTP and is still visible in “netsh http show sslcert”. This leaves an “orphaned” binding in WinHTTP which can interfere with and / or override the IIS bindings defined in the Octopus Package.

In my scenario, I was migrating the deployment process to Octopus Deploy for an existing REST API that had the following manually created bindings in IIS / applicationHost.config:



and the following bindings in WinHTTP:


C:\Windows\system32>netsh http show sslcert

SSL Certificate bindings:

IP:port                 : 0.0.0.0:443
Certificate Hash        : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
.... snip ....
Certificate Store Name  : My
Negotiate Client Certificate    : Disabled

IP:port                 : 192.168.100.50:443
Certificate Hash        : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
.... snip ....
Certificate Store Name  : MY
Negotiate Client Certificate    : Enabled

My Octopus Deployment Project has the following bindings in a “Deploy Package” step (with a new certificate thumbprint as the existing certificate was due to expire, and scrapping the binding for the specific IP address):


Protocol: https
Port: 443
SSL certificate thumbprint: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

After deployment, IIS showed the following bindings:


but WinHTTP showed this:


C:\Windows\system32>netsh http show sslcert

SSL Certificate bindings:

IP:port                 : 0.0.0.0:443
Certificate Hash        : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Application ID          : {ddcd4598-2c37-431e-be25-11136d4294fc}
.... snip ....
Certificate Store Name  : My
Negotiate Client Certificate    : Disabled

IP:port                 : 192.168.100.50:443
Certificate Hash        : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
.... snip ....
Certificate Store Name  : MY
Negotiate Client Certificate    : Enabled

The package correctly modified the IIS bindings in applicationHost.config with the new thumbprint and removed the specific IP address, but left the old specific IP address in WinHTTP. This meant that when I sent requests to the REST API it was still using the old SSL cert when I hit it using the IP address, but the new certificate when I hit in on the box using localhost (127.0.0.1).

Ideally, Calamari should match the IIS Management Console’s behaviour and remove bindings from WinHTTP when it removes them from applicationHost.config. This would probably need a change somewhere in “https://github.com/OctopusDeploy/Calamari/blob/master/source/Calamari/Scripts/Octopus.Features.IISWebSite_BeforePostDeploy.ps1” but I’ve not really been able to get my head around all the nested "if { }"s around the binding logic just yet.

Cheers,

Mike

Hi Mike,

Thanks for getting in touch. I agree we should be cleaning this up properly, I’ve created an issue in our tracker here https://github.com/OctopusDeploy/Issues/issues/3125 to get this fixed.

Regards,
Mark