modify Add-SslCert logic to allow for certificate updates #993
Conversation
|
|
natesuver
changed the title
| $isItSameBinding = $result.Get(4).Contains([string]::Format("{0}:{1}", $ipAddress, $port)) | ||
|
|
||
| $addCertCmd = [string]::Format("http add sslcert ipport={0}:{1} certhash={2} appid={{{3}}} certstorename=MY", $ipAddress, $port, $certhash, [System.Guid]::NewGuid().toString()) | ||
| $certCmd = Get-Netsh-Command -port $port -newCertHash $certhash -keyName "ipport" -hostOrIp $hostname |
There was a problem hiding this comment.
it can be a one-line, I prefer to have something like that:
$port = "ipport"
if($sni -eq "true" -and $iisVersion -ge 8 -and -not [string]::IsNullOrWhiteSpace($hostname))
{
$port = "hostnameport"
}
$certCmd = Get-Netsh-Command -port $port -newCertHash $certhash -keyName $port -hostOrIp $hostnameThere was a problem hiding this comment.
yeah, good catch, I like that, less nesting
| return [string]::Format("http update sslcert {4}={0}:{1} certhash={2} appid='{3}' certstorename=MY", $hostOrIp, $port, $certhash, $applicationId, $keyName) #TODO: this won't work with older versions of netsh, add something here to check the netsh version. | ||
| } else { #Case 3: the certificate bound to this host/ip and port has the same thumbprint as the new certificate. Do nothing. | ||
| return [string]::Empty | ||
| } |
There was a problem hiding this comment.
you can remove this else statement and leave only return [string]::Empty
|
When might we expect this fix to go live? |
|
We're still testing it, and have been busy on other projects, but will pick this up sometime after the new year. Notably, netsh update won't work with older versions of that utility, but I'm not sure that matters here, because it never did that functionality anyway. It will still break for older netsh, but for a different reason. So not sure how much that matters to people. |
|
@mericstam @tauhid621 @pavanvamsi3 @MOlausson any chance this PR could be reviewed and merged? |
|
This is a major pain for us. Since the task is failing any appcmd commands are not run afterwards. |
|
Can we get the fixes for server 2022 published please? This is a seriously annoying issue. |
|
This also fixes the problem in newer Server versions (ie 2022) where you can't deploy the same SSL binding twice even with no changes as the number of new lines in the netsh output has changed breaking the logic. (microsoft/azure-pipelines-tasks#13398) It would also fix: Is there any help we can provide to get this one tested and merged soon? Alternatively, should an interim pull request be written to handle the new lines issue independent of the remainder of the new code? |
|
We are waiting for that fix to use our new servers... We are stuck because of that problem. We can't deploy our apps with SSL automatically and it is being really annoying. |
|
Is there any indication of when the update that fixes this issue for WINS2022 will be available? |
|
Yeah, will this be available soon? Alot of servers gonna be updated to Windows Server 2022, and this will fail every deployment that configures ssl bindings |
|
Please consider testing/mergjng this soon to resolve #1008 . This is a bug with no workaround for Windows Server 2022 and only grows in impact as people upgrade their server OS. |
|
Maybe I'm missing something but to me it seems that without fix of item 3 in the original post it's impossible to do CI/CD with Azure Pipelines and a IIS website deployment release pipeline/stage. First release deploys ok, but the next one stops on the "IIS Web App Manage" task which means that the "IIS Web App Deploy" task never runs. Note that I'm deploying to my localhost and that for debug purposes I'm refering to the the IIS Express Development Certificate thumbprint in the binding information (https, ip=All unassigned, port=44901, hostname=localhost, SNI checked). |
|
+1 This prevents us to migrate to server 2022. |
|
Nous allons bientôt migrer nos serveurs dans une solution cloud. Les serveurs devront être sous Windows Server 2022. Est-ce possible de nous donner une date pour la publication du correctif? |
|
We are experiencing this issue with pipelines that try to update bindings for an IIS website on Server 2022. This pull request would also address two issues in the azure-pipelines-tasks repo: @z00sts @mkonjikovac @DmitriiBobreshev @mmrazik May this pull request be approved/merged soon? Thank you! |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
+1 preventing to migrate to Server 2022. No more workarounds. |
|
Can't believe this is still an issue, fed up of the work around we have. Pleeease get this across the line! |
|
Do we have a solution to this, other than not migrating to windows server 2022? |
As a temporary solution, I added a CI task to remove the binding before attempting the "IIS web app manage" task:
Replace Hope this helps. |
|
How do you handle first runs on the pipeline? That step will fail if there is no cert.
Ngā mihi, Al
…________________________________
From: patrickfegan ***@***.***>
Sent: Saturday, July 1, 2023 12:47:56 AM
To: microsoft/azure-pipelines-extensions ***@***.***>
Cc: Al Twohill ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-pipelines-extensions] modify Add-SslCert logic to allow for certificate updates (PR #993)
Do we have a solution to this, other than not migrating to windows server 2022?
As a temporary solution, I added a CI task to remove the binding before attempting the "IIS web app manage" task:
netsh http delete sslcert hostnameport=$(IISHostname):$(IISPort)
Replace IISHostname and IISPort with whatever value / pipeline variable required.
Hope this helps.
—
Reply to this email directly, view it on GitHub<#993 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAEZUBT3UIV4IBDADDZT2U3XN3DHZANCNFSM5G2UHJCQ>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Custom PowerShell to remove cert if it exists
Enviado de Outlook para Android<https://aka.ms/AAb9ysg>
…________________________________
From: Al ***@***.***>
Sent: Friday, June 30, 2023 11:03:27 PM
To: microsoft/azure-pipelines-extensions ***@***.***>
Cc: jabteles ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-pipelines-extensions] modify Add-SslCert logic to allow for certificate updates (PR #993)
How do you handle first runs on the pipeline? That step will fail if there is no cert.
Ngā mihi, Al
________________________________
From: patrickfegan ***@***.***>
Sent: Saturday, July 1, 2023 12:47:56 AM
To: microsoft/azure-pipelines-extensions ***@***.***>
Cc: Al Twohill ***@***.***>; Comment ***@***.***>
Subject: Re: [microsoft/azure-pipelines-extensions] modify Add-SslCert logic to allow for certificate updates (PR #993)
Do we have a solution to this, other than not migrating to windows server 2022?
As a temporary solution, I added a CI task to remove the binding before attempting the "IIS web app manage" task:
netsh http delete sslcert hostnameport=$(IISHostname):$(IISPort)
Replace IISHostname and IISPort with whatever value / pipeline variable required.
Hope this helps.
—
Reply to this email directly, view it on GitHub<#993 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAEZUBT3UIV4IBDADDZT2U3XN3DHZANCNFSM5G2UHJCQ>.
You are receiving this because you commented.Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub<#993 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIT3MFWZTWW5NTAF6OC7LR3XN5EK7ANCNFSM5G2UHJCQ>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Have you tried anything? Tick the "continue on error" checkbox maybe? |
The work around I used is inline powershell task that removes SSL cert bindings. It wraps the removals in try catch statements, and in the catch it does not throw an error. It will remove SSL cert bindings that were bound to an IP address or hostname. Here is the inline PS: $appCmd = 'C:\Windows\system32\inetsrv\appcmd.exe'
Write-Host "[Start] removing sslcert binding from $(bindIPAddress):443 with netsh"
try {
netsh http delete sslcert ipport=$(bindIPAddress):443
} catch {
Write-Host $_
}
Write-Host "[Finish] removing sslcert binding from $(bindIPAddress):443 with netsh"
Write-Host "[Start] removing binding from $(dnsEntry):443 with appcmd"
try {
. $appcmd set site /site.name:"$(dnsEntry)" /-bindings.[protocol='https',bindingInformation='*:443:$(dnsEntry)']
} catch {
Write-Host $_
}
Write-Host "[Finish] removing binding from $(dnsEntry):443 with appcmd"
# Force clean exit no matter what happened previously
[Environment]::Exit(0)edit: missing letters added |
|
+1 prevents migration to windows 2022 |
|
+1 please fix this |
There was a problem hiding this comment.
@PawelHaracz has a couple of recommended changes for better coding, but that do not change the functionality.
That said, this Pull will significantly improve the product (making it compatible with Server 2022) and further delay of release is not in the best interest of the community. Thus I recommend completing this Pull in order to benefit the community. (Or immediately implementing the noted changes, and then Pulling that.)
|
Here is the temp workaround that I used on Server 2022, only resolves the existing binding check issue. Again not ideal by any means but at least allows the task to complete successfully. The only remaining issue (for my use case) even after adding the workaround above is that AppCmdOnTargetMachines.ps1 does not cater for certificate update scenarios so hopefully the script is fixed in time for my next round of certificate updates :). |
Add-SslCert was modified to accommodate a few different cases related to certificate binding:
This addresses an issue with this task where updating a certificate thumbprint from the build pipeline caused netsh to fail, if that binding already existed.