We are having problems whereby if the SSL binding already exists then the rest of the step is skipped. This error is more of an issue when the certificate expires and replaced with a new one - i.e. the thumbprint changes. We have changed the thumbprint variable but on deployment it appears that the step just checks to see if there is an existing SSL binding - if so it moves on. It would be better if the step could check if the existing binding has the same thumbprint as the desired one.