Could not find certificate with thumbprint in store

broth · 4 November 2018 09:24

I am deploying an IIS website that has two HTTPS site bindings that use different SSL certificates.

I am running into the following exception:

Executing feature-class 'Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature'
System.Exception: Could not find certificate with thumbprint '<redacted>' in store Cert:\LocalMachine\Root
at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules)
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables)
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment)
at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature)
at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment)
at Calamari.Deployment.ConventionProcessor.RunInstallConventions()
at Calamari.Deployment.ConventionProcessor.RunConventions()

You can see that both certificates are found, but in two different locations:

First store name
Second store name

I dug into the code a bit and in iisWebSiteBeforeDeployFeature.cs the site bindings are iterated over:

But notice that the SpecialVariables.Action.IisWebSite.Output.CertificateStoreName is set to the last certificate store name we found in all site bindings.

In iisWebSiteAfterPostDeployFeature.cs we reference SpecialVariables.Action.IisWebSite.Output.CertificateStoreName for each binding that we are checking and it is possible that this store name might not always be the same (as shown in my example):

Which ultimately results in the following exception:

Digging further, when you choose an SSL cert for an IIS site binding, certs are presented from either the Personal or Web Hosting store. With this, shouldn’t these scripts above be looking in the Personal or Web Hosting store only and not the Root store?

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability#create-a-secure-web-site

broth · 5 November 2018 15:56

As a workaround, I ended up installing the certs in both root and web hosting to ensure that this step wouldn’t fail during deployments. But I still feel like this might be a bug as shouldn’t these scripts be looking in the Personal or Web Hosting store only and not Root for SSL certs for IIS bindings?

Robert_Wagner · 6 November 2018 09:38

Hi,

Thanks for getting in touch. I will work with our resident certificate expert and figure out whether this is the right behavior.

Rob

broth · 15 November 2018 06:53

Any updates on this?

Robert_Wagner · 16 November 2018 06:44

Hi Bryan,

Sorry about the delay. I’ve open an issue for the multiple-store bug.

As for the location, we want to cast the net as wide as possible even if the IIS UI doesn’t.

Regards,

Rob

system · 16 December 2018 06:56

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.