The "IIS Web Site and Application Pool" feature no longer imports configured binding certificates into the certificate store on the target

[Justin-Walsh]

Prerequisites

• [x] I have verified the problem exists in the latest version
• [x] I have searched open and closed issues to make sure it isn't already reported
• [x] I have written a descriptive issue title
• [x] I have linked the original source of this report
• [x] I have tagged the issue appropriately (area/*, kind/bug, tag/regression?)

The bug

When utilizing the "IIS Web Site and Application Pool" step feature on a non-IIS step (specifically tested with the "Deploy a package" step, we no longer import Octopus-managed certificates into the certificate store on the deployment target. This causes the deployment to fail as it can not create the binding, as the certificate is not present. This does not impact the "Deploy to IIS" step, only steps that use this feature.

What I expected to happen

The certificate is transferred to the target machine and installed in the certificate store.

Steps to reproduce

1. Create a process with a Deploy a Package step.
2. Add the "IIS Web Site and Application Pool" feature
3. Configure the IIS bindings using an Octopus-managed certificate.
4. Perform deployment
5. See error.

Log excerpt

Detected IIS Version 10.0
Making sure a Website "Package" is configured in IIS...
Finding SSL certificate with thumbprint 5934F3914C5DF33B8F453AB9423D69589AE050F6

OperationStopped: Could not find certificate under Cert:\LocalMachine with thumbprint 5934F3914C5DF33B8F453AB9423D69589AE050F6. Make sure that the certificate is installed to the Local Machine context and that the private key is available.
At C:\Octopus\Applications\Tentacle\Dev\Package\1.0.1\Octopus.Features.IISWebSite_BeforePostDeploy.ps1:497 char:4
+             throw "Could not find certificate under Cert:\LocalMachin ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
at <ScriptBlock>, C:\Octopus\Applications\Tentacle\Dev\Package\1.0.1\Octopus.Features.IISWebSite_BeforePostDeploy.ps1: line 497
at <ScriptBlock>, C:\Octopus\Applications\Tentacle\Dev\Package\1.0.1\Octopus.Features.IISWebSite_BeforePostDeploy.ps1: line 469
at <ScriptBlock>, <No file>: line 1
at <ScriptBlock>, C:\Octopus\Applications\Tentacle\Dev\Package\1.0.1\Octopus.FunctionAppenderContext.ps1: line 185
at <ScriptBlock>, C:\Octopus\Applications\Tentacle\Dev\Package\1.0.1\Bootstrap.Octopus.FunctionAppenderContext.ps1: line 1710
at <ScriptBlock>, <No file>: line 1
at <ScriptBlock>, <No file>: line 1

Affected versions

Octopus Server: 2021.1

Workarounds

Use the "Import Certificate" step to pre-import the certificate before the step with the enabled feature.

Links

(Internal Link): Initial report: http://octopus.zendesk.com/agent/tickets/68336 (Internal Link): Repro:https://octopus-operations.octopus.app/app#/Spaces-82/projects/iis-bindings/deployments/releases/0.0.1/deployments/Deployments-1448

[kengel100]

See also https://github.com/OctopusDeploy/Issues/issues/6834

[svenkle]

FWIW this issue also impacts Octopus Cloud 2021.1