Issue when removing an SSL cert

jacob.nelson · 13 April 2017 21:08

When removing an HTTPS bindings that is bound to all IPs (’*’/’ '/‘0.0.0.0’) it clears the cert from all other HTTPS bindings on the same port, leaving them with no cert, breaking HTTPS.

The issue occurs when this line from Calamari is executed: https://github.com/OctopusDeploy/Calamari/blob/d289c5d950022dd60cc9e547168464cbfd02d438/source/Calamari/Scripts/Octopus.Features.IISWebSite_BeforePostDeploy.ps1#L719

So this gets executed: netsh http delete sslcert ipport="0.0.0.0:443" and all of the bindings that used that cert gets cleared and are left without a cert on the binding breaking SSL.

Here is what it looks like in the logs:

14:00:12   Verbose  |       Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12   Info     |       Comparing existing IIS bindings with configured bindings...
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted1.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted2.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted3.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:redacted4.domain.com
14:00:12   Info     |       Found existing non-configured binding: https *:443:env-redacted1.domain.com
14:00:12   Info     |       Found existing non-configured binding: http *:80:env-redacted1.domain.com
14:00:12   Info     |       Existing IIS bindings do not match configured bindings.
14:00:12   Info     |       Clearing IIS bindings
14:00:12   Info     |       Assigning binding: http *:80:redacted.domain.com
14:00:12   Info     |       Assigning binding: https *:443:redacted.domain.com
14:00:12   Info     |       Removing unused SSL certificate binding: 0.0.0.0:443
14:00:12   Info     |       SSL Certificate successfully deleted
14:00:12   Info     |       0
14:00:12   Verbose  |       Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12   Info     |       Anonymous authentication enabled: True
14:00:12   Info     |       Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/REDACTED" at configuration commit path "MACHINE/WEBROOT/APPHOST"
14:00:12   Info     |       0

Since *:443:env-redacted1.domain.com is *:443 when it tries to remove that bindings , it clears all of the bindings, since several other bindings are also on *:443.

I think this issue only started when I started using Octopus Deploys new built in certificate store to apply my certs to the bindings.

Brent_Farmer · 14 April 2017 18:00

I am facing a similar issue with version 3.12.4 and earlier. I am not using the new Octopus built in certificate store. We have a wildcard cert that is bound to (’’/’ ‘/‘0.0.0.0’) port 443 for multiple websites. When changing an existing website IP Address binding from (’’/’ '/‘0.0.0.0’) in the “Deploy IIS Website” step, the “Removing unused SSL certificate binding” action is removing the cert binding from all websites; taking those sites down.

henrik · 18 April 2017 06:20

Hi,

Thanks for getting in touch, and I’m sorry you have run into this bug.

I’ve raised this GitHub issue to have it investigated as soon as possible.

Again, my apologies for the inconvenience caused by this bug.

Thank you and best regards,
Henrik

jacob.nelson · 19 April 2017 21:49

Thanks for the response. I went ahead and created a Pull Request that would fix this issue.

henrik · 20 April 2017 06:29

Hi Jacob,

Thank you for taking the time to send through that PR, like I mentioned on GitHub we’re working on a solution for your situation and the other scenarios customers had issues with. This fix is currently in review and should be ready to merge in the next day or so.

Thank you,
Henrik

jacob.nelson · 12 May 2017 17:37

Hey!

Just noticing that the pull request to fix this bug (http://help.octopusdeploy.com/discussions/problems/53569-issue-when-removing-an-ssl-cert) has been open for 22 days. Is there a plan to merge this in for a release? This is still causing some large issues in our production environment.

Thanks for your time! Sorry for pestering!

henrik · 14 May 2017 23:27

Hi Jacob,

Yes, there is a plan to merge it! We’ve just been redirected to some bigger pieces of work that have taken priority. I’ll make sure we get it reviewed early this week so it can be released in the next week or so.

Sorry for the inconvenience caused by this issue!

Thank you and kind regards,
Henrik

henrik · 16 May 2017 23:25

Hi Jacob,

Just wanted to let you know that we’ve just released 3.13.4 that includes the fix for this issue.

Thank you and best regards,
Henrik

jacob.nelson · 17 May 2017 21:39

Just installed and tested the update! Thanks for the fix, really appreciate the support you guys provided!

henrik · 17 May 2017 22:28

Hi Jacob,

Great to hear the fix worked out!

Thank you and warm regards,
Henrik