Could not set security on private-key

execution

(Jeffrey Wels) #1

When deploying a package to an environment, we stumble upon the following message which i cant seem to resolve;

System.Exception: Could not set security on private-key —> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

If tried deploying the package (as a website) using another ssl certificate (being a variable) but that didn’t change anything.

Other projects that are exactly the same do deploy without any problem.

We are running v2018.3.3

Any idea why this is happening all of a sudden?

Thanks in advance,
Jeffrey


(Daniel Fischer) #3

Hi Jeffrey,

Thanks for getting in touch! I’ll need to get some further information from you to better understand what could be going wrong here.

Would you be able to attach a full deployment log where you are seeing this issue?

Looking forward to hearing from you. :slight_smile:

Best regards,
Daniel


(Jeffrey Wels) #4

Hi Daniel, attached the task log. ServerTasks-41370.log.txt (36.1 KB)

I have masked a couple of things just for security, but that shouldn’t pose a problem right?

I discovered that i can do a succesfull deployment, once i throw away the 443 binding in the first deploy step, so my first thinking was that the certifcate might be wrong. So i just attached a differen certificate to the deployment (which works on another deployment), but that gave me the same problem.

Thanks in advance.


(Jeffrey Wels) #5

Hi Daniel,

I found the problem. Which was a stupid thing on my side, though the error that Octopus gave me, didn’t quiet give it away.

I am getting an error which might suggest that there is a problem with my certificate, although te problem was with having a wrong username for the application pool, which caused the application to not fully deploy. Since the username was wrong, it couldn’t start the webapplication.
But why does it tells me something about a wrong (or possible error with the) certificate then?

Thanks,
Jeffrey


(Daniel Fischer) #6

Hi Jeffery,

Thanks for the update and attaching the log file. I can see there are some hints in the error that it is related to authentication, though not very explicit.

Here is the first block of error in your deployment log.

09:15:22   Verbose  |       Executing feature-class 'Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature'
09:15:22   Error    |       System.Exception: Could not set security on private-key ---> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
09:15:22   Error    |       at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
09:15:22   Error    |       at System.Security.Principal.NTAccount.Translate(Type targetType)
09:15:22   Error    |       at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
09:15:22   Error    |       at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
09:15:22   Error    |       at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetCspPrivateKeySecurity(SafeCertContextHandle certificate, ICollection`1 accessRules)
09:15:22   Error    |       at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection`1 accessRules, SafeCertContextHandle certificate)
09:15:22   Error    |       --- End of inner exception stack trace ---
09:15:22   Error    |       at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection`1 accessRules, SafeCertContextHandle certificate)
09:15:22   Error    |       at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules)
09:15:22   Error    |       at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables)
09:15:22   Error    |       at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment)
09:15:22   Error    |       at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature)
09:15:22   Error    |       at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment)
09:15:22   Error    |       at Calamari.Deployment.ConventionProcessor.RunInstallConventions()
09:15:22   Error    |       at Calamari.Deployment.ConventionProcessor.RunConventions()

I noticed the following line:

09:15:22   Error    |       at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables)

It looks like Calamari does a check to confirm that the Application pool has Certificate Private Key Access. I agree that the actual cause of the issue is a little obscure from the information provided. I’m going to run this past the developers and see if it is possible to improve the logging here.

Let me know if you have any thoughts or questions here. :slight_smile:

Best regards,
Daniel