IISWebSite_BeforePostDeploy.ps1 won't update cert on https binding

I’m on version

When I have a site with an existing https binding with a different cert than the one specified in octopus, octopus fails to update the binding with the new cert at deploy time. The same holds if the site has an https binding with no cert.

I poked around in IISWebSite_BeforePostDeploy.ps1, I think this line: if ($hasThumb.length -eq $null) should be if ($hasThumb -eq $null) {

Under the current code, when $hasThumb is $null, $hasThumb.length is zero, rather than $null. So even when the cert needs to change, the code enters the else block.

I opened issue 1581 on your github site for the same issue.

Hi Maxwell

Thanks for the heads up, looks like an interesting case!
We’ll investigate and get it fixed.
Quick question for you, what’s your rationale behind a https binding with no cert ? We’ve made an assumption there that’s obviously not true for you so some extra info would be great.



Hi Damian,

I don’t intend to have an https binding w/ no cert. Re-reading my post, I did not do a great job describing the problem.

Here’s the scenario:
So I’ve got a site with an https binding. The cert associated with that binding will be expiring shortly, so I obtain a new cert, and import the new cert thumbprint in the appropriate project’s IIS settings in Octopus. When I create a release and deploy, Octopus does not update the binding to use the new cert whose thumbprint is in the Octopus settings.

After reviewing IISWebSite_BeforePostDeploy.ps1, I think the issue is that $hasThumb.length cannot be null. When $hasThumb is null, $hasThumb.length is equal to zero, rather than null. When I manually change IISWebSite_BeforePostDeploy.ps1 so that the relevant if statement is if ($hasThumb -eq $null, everything works the way I’d expect.