Issue with importing certificate PFX (PKCS#12)

chris_adamantidis · 27 February 2017 21:30

Hi there,

I have an issue where I import a certificate in the feature that’s been added we have problems using it on deploys in IIS. We import as PFX with the appropriate password and it accepts the certificate but claims that the private key is NOT included. When we try an Import Certificate step with the certificate we brought into the library we get the error below:

Importing certificate 'CN=*.some.common.name,OU=Domain Control Validated' with thumbprint 'avalidthumbprint' into store 'LocalMachine\My'
February 24th 2017 17:06:45Error
There was an error importing the certificate into the store
February 24th 2017 17:06:45Error
Certificate does not have a private-key
February 24th 2017 17:06:45Error
System.Exception
February 24th 2017 17:06:45Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 82
February 24th 2017 17:06:45Error
   at Calamari.Commands.ImportCertificateCommand.ImportCertificate(CalamariVariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Commands\ImportCertificateCommand.cs:line 85
February 24th 2017 17:06:45Error
   at Calamari.Commands.ImportCertificateCommand.Execute(String[] commandLineArguments) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Commands\ImportCertificateCommand.cs:line 38
February 24th 2017 17:06:45Error
   at Calamari.Program.Execute(String[] args) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Program.cs:line 45
February 24th 2017 17:06:45Fatal
The remote script failed with exit code 100
February 24th 2017 17:06:45Fatal
ImportCert on MY-MACHINE-NAME

If we pre-install the certificate on the IIS server and verify it’s added yet use the certificate variable instead of the thumbprint and try to deploy we get the following error - they all seem to be related to the fact that it doesn’t believe the private key is there, even though it’s for sure included in the certificate as a PFX:

Bindings are as configured. No changes required.
February 24th 2017 16:42:46Info
Anonymous authentication enabled: True
February 24th 2017 16:42:46Info
Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/MYAPP" at configuration commit path "MACHINE/WEBROOT/APPHOST"
February 24th 2017 16:42:46Info
Basic authentication enabled: False
February 24th 2017 16:42:46Info
Applied configuration changes to section "system.webServer/security/authentication/basicAuthentication" for "MACHINE/WEBROOT/APPHOST/MYAPP" at configuration commit path "MACHINE/WEBROOT/APPHOST"
February 24th 2017 16:42:47Info
Windows authentication enabled: True
February 24th 2017 16:42:47Info
Applied configuration changes to section "system.webServer/security/authentication/windowsAuthentication" for "MACHINE/WEBROOT/APPHOST/MYAPP" at configuration commit path "MACHINE/WEBROOT/APPHOST"
February 24th 2017 16:42:47Info
Application pool is stopped. Attempting to start...
February 24th 2017 16:42:48Info
IIS configuration complete
February 24th 2017 16:42:48Error
System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
February 24th 2017 16:42:48Error
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
February 24th 2017 16:42:48Error
   at System.Security.Principal.NTAccount.Translate(Type targetType)
February 24th 2017 16:42:48Error
   at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
February 24th 2017 16:42:48Error
   at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
February 24th 2017 16:42:48Error
   at Calamari.Integration.Certificates.PrivateKeyAccessRule.CreateCryptoKeySecurity(ICollection`1 rules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\PrivateKeyAccessRule.cs:line 40
February 24th 2017 16:42:48Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 71
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 36
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 30
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 98
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 82
February 24th 2017 16:42:48Error
   at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
February 24th 2017 16:42:48Error
   at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 28
February 24th 2017 16:42:48Error
Running rollback conventions...
February 24th 2017 16:42:48Error
Some or all identity references could not be translated.
February 24th 2017 16:42:48Error
System.Security.Principal.IdentityNotMappedException
February 24th 2017 16:42:48Error
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
February 24th 2017 16:42:48Error
   at System.Security.Principal.NTAccount.Translate(Type targetType)
February 24th 2017 16:42:48Error
   at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
February 24th 2017 16:42:48Error
   at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
February 24th 2017 16:42:48Error
   at Calamari.Integration.Certificates.PrivateKeyAccessRule.CreateCryptoKeySecurity(ICollection`1 rules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\PrivateKeyAccessRule.cs:line 40
February 24th 2017 16:42:48Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 71
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 36
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 30
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 98
February 24th 2017 16:42:48Error
   at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 82
February 24th 2017 16:42:48Error
   at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
February 24th 2017 16:42:48Error
   at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 50
February 24th 2017 16:42:48Error
   at Calamari.Commands.DeployPackageCommand.Execute(String[] commandLineArguments) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Commands\DeployPackageCommand.cs:line 117
February 24th 2017 16:42:48Error
   at Calamari.Program.Execute(String[] args) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Program.cs:line 45
February 24th 2017 16:42:50Fatal
The remote script failed with exit code 100
February 24th 2017 16:42:50Fatal
DeployFrontend - Managed Certificates on MY-MACHINE-NAME

Any help would be greatly appreciated - i know this is a brand new feature so just let me know if this isn’t quite completely baked yet.

Thanks,
Chris

Michael_Richardson · 28 February 2017 00:48

Hi Chris,

I’m sorry you are having problems with your certificate.

I suspect this may be related to an issue we had where the private-key wasn’t being found in particular PFX files. This was resolved in Octopus version 3.11.2.

If you are already on this version, or upgrading doesn’t resolve this issue for you, please let me know and I will investigate further.

Again, we apologize for any inconvenience. As you mention, this is a brand new feature for us. Thanks for using it!

Regards,
Michael

chris_adamantidis · 28 February 2017 16:27

Thank you so much, Michael for your response, however I’m still receiving this error which seems to be related to permissions.

System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
February 28th 2017 10:58:10Error
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
February 28th 2017 10:58:10Error
   at System.Security.Principal.NTAccount.Translate(Type targetType)
February 28th 2017 10:58:10Error
   at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
February 28th 2017 10:58:10Error
   at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
February 28th 2017 10:58:10Error
   at Calamari.Integration.Certificates.PrivateKeyAccessRule.CreateCryptoKeySecurity(ICollection`1 rules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\PrivateKeyAccessRule.cs:line 40
February 28th 2017 10:58:10Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetPrivateKeySecurity(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Integration\Certificates\WindowsX509CertificateStore.cs:line 71
February 28th 2017 10:58:10Error
   at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 36
February 28th 2017 10:58:10Error
   at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Features\IisWebSiteAfterPostDeployFeature.cs:line 30
February 28th 2017 10:58:10Error
   at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 98
February 28th 2017 10:58:10Error
   at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment) in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\Conventions\FeatureConvention.cs:line 82
February 28th 2017 10:58:10Error
   at Calamari.Deployment.ConventionProcessor.RunInstallConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 60
February 28th 2017 10:58:10Error
   at Calamari.Deployment.ConventionProcessor.RunConventions() in Z:\buildAgent\workDir\14ffc968155e4956\source\Calamari\Deployment\ConventionProcessor.cs:line 28

This seems to be a permissions issue, but i’m not sure where to go from here.

Thanks,
Chris

chris_adamantidis · 28 February 2017 16:54

Alright so i figured this out on my own. just FYI, usernames with the format

.\username

do not work, they must be fully qualified. That is, for local users:

systemname\username

and for domain users:

domain\username or username@upn

Thanks again for the reply!
Chris

Michael_Richardson · 1 March 2017 04:54

Chris,

I’m glad to hear you have this working now, and thank-you for the feedback.

I’m going to investigate this further, and see if I can understand why .\username isn’t working (or at least update the on-screen doco to make this clear).

Thanks again,
Michael