Hi there,
I have an issue where I import a certificate in the feature that’s been added we have problems using it on deploys in IIS. We import as PFX with the appropriate password and it accepts the certificate but claims that the private key is NOT included. When we try an Import Certificate step with the certificate we brought into the library we get the error below:
Importing certificate 'CN=*.some.common.name,OU=Domain Control Validated' with thumbprint 'avalidthumbprint' into store 'LocalMachine\My'
February 24th 2017 17:06:45Error
There was an error importing the certificate into the store
February 24th 2017 17:06:45Error
Certificate does not have a private-key
February 24th 2017 17:06:45Error
System.Exception
February 24th 2017 17:06:45Error
at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 82
February 24th 2017 17:06:45Error
at Calamari.Commands.ImportCertificateCommand.ImportCertificate(CalamariVariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Commands\ImportCertificateCommand.cs:line 85
February 24th 2017 17:06:45Error
at Calamari.Commands.ImportCertificateCommand.Execute(String[] commandLineArguments) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Commands\ImportCertificateCommand.cs:line 38
February 24th 2017 17:06:45Error
at Calamari.Program.Execute(String[] args) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Program.cs:line 45
February 24th 2017 17:06:45Fatal
The remote script failed with exit code 100
February 24th 2017 17:06:45Fatal
ImportCert on MY-MACHINE-NAME
If we pre-install the certificate on the IIS server and verify it’s added yet use the certificate variable instead of the thumbprint and try to deploy we get the following error - they all seem to be related to the fact that it doesn’t believe the private key is there, even though it’s for sure included in the certificate as a PFX:
Bindings are as configured. No changes required.
February 24th 2017 16:42:46Info
Anonymous authentication enabled: True
February 24th 2017 16:42:46Info
Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/MYAPP" at configuration commit path "MACHINE/WEBROOT/APPHOST"
February 24th 2017 16:42:46Info
Basic authentication enabled: False
February 24th 2017 16:42:46Info
Applied configuration changes to section "system.webServer/security/authentication/basicAuthentication" for "MACHINE/WEBROOT/APPHOST/MYAPP" at configuration commit path "MACHINE/WEBROOT/APPHOST"
February 24th 2017 16:42:47Info
Windows authentication enabled: True
February 24th 2017 16:42:47Info
Applied configuration changes to section "system.webServer/security/authentication/windowsAuthentication" for "MACHINE/WEBROOT/APPHOST/MYAPP" at configuration commit path "MACHINE/WEBROOT/APPHOST"
February 24th 2017 16:42:47Info
Application pool is stopped. Attempting to start...
February 24th 2017 16:42:48Info
IIS configuration complete
February 24th 2017 16:42:48Error
System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
February 24th 2017 16:42:48Error
at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
February 24th 2017 16:42:48Error
at System.Security.Principal.NTAccount.Translate(Type targetType)
February 24th 2017 16:42:48Error
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
February 24th 2017 16:42:48Error
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
February 24th 2017 16:42:48Error
at Calamari.Integration.Certificates.PrivateKeyAccessRule.CreateCryptoKeySecurity(ICollection`1 rules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\PrivateKeyAccessRule.cs:line 40
February 24th 2017 16:42:48Error
at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 71
February 24th 2017 16:42:48Error
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 36
February 24th 2017 16:42:48Error
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 30
February 24th 2017 16:42:48Error
at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 98
February 24th 2017 16:42:48Error
at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 82
February 24th 2017 16:42:48Error
at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
February 24th 2017 16:42:48Error
at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 28
February 24th 2017 16:42:48Error
Running rollback conventions...
February 24th 2017 16:42:48Error
Some or all identity references could not be translated.
February 24th 2017 16:42:48Error
System.Security.Principal.IdentityNotMappedException
February 24th 2017 16:42:48Error
at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
February 24th 2017 16:42:48Error
at System.Security.Principal.NTAccount.Translate(Type targetType)
February 24th 2017 16:42:48Error
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
February 24th 2017 16:42:48Error
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
February 24th 2017 16:42:48Error
at Calamari.Integration.Certificates.PrivateKeyAccessRule.CreateCryptoKeySecurity(ICollection`1 rules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\PrivateKeyAccessRule.cs:line 40
February 24th 2017 16:42:48Error
at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 71
February 24th 2017 16:42:48Error
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 36
February 24th 2017 16:42:48Error
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 30
February 24th 2017 16:42:48Error
at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 98
February 24th 2017 16:42:48Error
at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 82
February 24th 2017 16:42:48Error
at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
February 24th 2017 16:42:48Error
at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 50
February 24th 2017 16:42:48Error
at Calamari.Commands.DeployPackageCommand.Execute(String[] commandLineArguments) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Commands\DeployPackageCommand.cs:line 117
February 24th 2017 16:42:48Error
at Calamari.Program.Execute(String[] args) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Program.cs:line 45
February 24th 2017 16:42:50Fatal
The remote script failed with exit code 100
February 24th 2017 16:42:50Fatal
DeployFrontend - Managed Certificates on MY-MACHINE-NAME
Any help would be greatly appreciated - i know this is a brand new feature so just let me know if this isn’t quite completely baked yet.
Thanks,
Chris