Open yepeekai opened 1 year ago
@microsoft-github-policy-service agree
@LeftTwixWand @starkmsu @manolerazvan
š I hate to bug you guys, but can we merge this crucial fix? Depending on your version of Windows it will cause IIS deployment issues due to different netsh outputs based on its version.
Windows Server 2012 - netsh.exe @ 6.3.9600.17415 works with this extension āļø Windows Server 2022 - netsh.exe @ 10.0.20348.1 does not work until this is merged. ā
Thank you!
Related Issues: Oct 20, 2021 - https://github.com/microsoft/azure-pipelines-tasks/issues/15419 Nov 25, 2021 - https://github.com/microsoft/azure-pipelines-extensions/issues/1008 Apr 22, 2022 - https://github.com/microsoft/azure-pipelines-extensions/issues/1039 Jan 10, 2022 - https://github.com/microsoft/azure-pipelines-tasks/issues/15686 May 20, 2022 - https://github.com/microsoft/azure-pipelines-extensions/issues/1058 Dec 12, 2022 - https://github.com/microsoft/azure-pipelines-tasks/issues/17462
Duplicated Pull Requests: Oct 27, 2021 - https://github.com/microsoft/azure-pipelines-extensions/pull/993 Mar 13, 2023 - https://github.com/microsoft/azure-pipelines-extensions/pull/1134
Hello Preston and @yepeekai!
Thank you so much for your efforts, it's great to see when community takes over some issues. Unfortunately, I don't have much experience with TaskModules, so I need some to check how it works. Also, I don't know about the versioning in TaskModules, so I have to clarify it too.
I'll keep you up to dateš
Hi @coolhome and @yepeekaiš
Generally, PR looks good, I will just add a one more test here: TaskModules/powershell/Tests to cover the new functionality. It shouldn't take to long.
I just noticed this line will need to be updated to find by key to get the certificate hash - https://github.com/microsoft/azure-pipelines-extensions/blob/dd5e1b99c72c196d5d154da79637869e0beffed0/TaskModules/powershell/TaskModuleIISManageUtility/AppCmdOnTargetMachines.ps1#L209
The same fixes also need to be applied for IISWebAppDeployment - https://github.com/microsoft/azure-pipelines-tasks/blob/065dfd9c37ff3e0bae7bd385bfa523fc17f98407/Tasks/IISWebAppDeployment/MsDeployOnTargetMachines.ps1#L277-L298
I committed a change to validate the certificate hash. I also changed the binding search to ensure there is no false positive. For example if we search for port 443 and there is a certificate for 443 and 44311, both would have matched in the previous version and would have cause problem.
Hi @yepeekai @coolhome
I tested the refactored method, and everything looks good.
The only one concern, which I see I'm not sure, is that this is the correct place for the fix.
Because we have TaskModules/powershell
, where you made a fix. And I'm not sure that the task is not using this module.
Because the tasks have their own AppCmdOnTargetMachines.ps1
scripts.
I'll try to test these changes in the real environment.
Would be great to get this MR merged in the near future...We are running into this issue aswell
@LeftTwixWand I can confirm this is the wrong file modified! š¤¦ I wonder what the history is for why IIS Tasks didn't inherit from this other AppCmdOnTargetMachines.ps1. I'm a big fan of this the new functions introduced in this PR.
Additional related PRs that can likely be closed once this is merged: https://github.com/microsoft/azure-pipelines-extensions/pull/1134 https://github.com/microsoft/azure-pipelines-extensions/pull/993/files
That's sad. Maybe still begin with this PR and then replicate the changes over to the other place
Hey @yepeekai @coolhome @CJohannimloh I know that this issue is taken buy few colleagues from my team. Let me ask them about the progress.
Hey @yepeekai @coolhome @CJohannimloh can some of you provide the next information and I'll try to complete this PR ASAP:
This would help me a lot. Because I still have other high priority work to do. But I really want to unblock you, and this would extremely speed up the process.
Hey @LeftTwixWand,
sure i can give some information.
Affected task: IISWebAppManagementOnMachineGroup@0
Install-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-ASP,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Service,NET-Framework-45-Features,NET-Framework-45-Core,NET-Framework-45-ASPNET,NET-WCF-Services45,NET-WCF-HTTP-Activation45,NET-WCF-TCP-PortSharing45,WAS,WAS-Process-Model,WAS-Config-APIs
Run this Task twice (requires a SSL Thumbprint)
First one should succeed and then it fails every time because BindingConfiguration can't run
- task: IISWebAppManagementOnMachineGroup@0
inputs:
IISDeploymentType: 'IISWebsite'
ActionIISWebsite: 'CreateOrUpdateWebsite'
WebsiteName: 'testwebsite'
WebsitePhysicalPath: '%SystemDrive%\inetpub\wwwroot\testwebsite'
WebsitePhysicalPathAuth: 'WebsiteUserPassThrough'
CreateOrUpdateAppPoolForWebsite: true
AppPoolNameForWebsite: 'testapppoool'
DotNetVersionForWebsite: 'No Managed Code'
ConfigureAuthenticationForWebsite: true
AnonymousAuthenticationForWebsite: true
AddBinding: true
Bindings: |
{
bindings:[
{
"protocol":"http",
"ipAddress":"*",
"hostname":"",
"port":"80",
"sslThumbprint":"",
"sniFlag":false
},
{
"protocol":"https",
"ipAddress":"*",
"hostname":"",
"port":"443",
"sslThumbprint":"$(Thumbprint)",
"sniFlag":false
}
]
}
Hey @CJohannimloh thank you so much for your help. We're already working on it.
@LeftTwixWand in addition this is the area we forget.
I'm using the same as above, but you need to enter in the remote host information. The one above was for Deployment Groups where this is using WinRM to deploy.
- task: IISWebAppMgmt@3
inputs:
machinesList: '$(RemoteHostname)'
AdminUserName: '$(RemoteUser)'
AdminPassword: '$(RemotePass)'
WinRMProtocol: Http
WebsiteName: 'testwebsite'
WebsitePhysicalPath: '%SystemDrive%\inetpub\wwwroot\testwebsite'
AddBinding: true
CreateOrUpdateAppPoolForWebsite: true
ConfigureAuthenticationForWebsite: true
Protocol: https
Port: 443
ServerNameIndication: false
SSLCertThumbPrint: '$(Thumbprint)'
AppPoolNameForWebsite: 'testapppoool'
AnonymousAuthenticationForWebsite: true
WindowsAuthenticationForWebsite: false
Hey @yepeekai and @coolhome may I ask a question about this code changes.
Why they've done in the TaskModules/powershell/TaskModuleIISManageUtility/AppCmdOnTargetMachines.ps1
?
I don't see that this module been used in IIS Web App Deployment Using WinRM
.
Did I miss something?
Because when I go to the task folder on the build agent I can see this:
But this file is part of the task code, no the TaskModules:
My understanding of azure tasks stuff is limited... LeftTwixWand made a comment in that regard on july 26th if you go up in the history of this PR. It in fact appears that I did modify at the wrong place, this peace of code is duplicated and I choose the wrong one when I searched for specific patterns. On my side I am not able to test azure directly with this, so I copied the part that I though was used and executed it on my machine (and a dev server we have). I suggested to correct it here and then port the solution to the other place.
@yepeekai thank you so much for this response.
I was also confused, because AppCmdOnTargetMachines
exist in multiple places.
So, I thought we were missing something.
Looks like TaskModules
was used in the past, but now each task has its own AppCmdOnTargetMachines
.
Anyway, thank you for this pr, I'm sure it will be merged soon. Just a few more tests needed.
Hey @LeftTwixWand,
sure i can give some information.
- Affected task: IISWebAppManagementOnMachineGroup@0
How to reproduce:
- Create a hosted Server 2022 Agent
- Install Basic IIS (Powershell)
Install-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-ASP,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Service,NET-Framework-45-Features,NET-Framework-45-Core,NET-Framework-45-ASPNET,NET-WCF-Services45,NET-WCF-HTTP-Activation45,NET-WCF-TCP-PortSharing45,WAS,WAS-Process-Model,WAS-Config-APIs
- Run this Task twice (requires a SSL Thumbprint)
- First one should succeed and then it fails every time because BindingConfiguration can't run
- task: IISWebAppManagementOnMachineGroup@0 inputs: IISDeploymentType: 'IISWebsite' ActionIISWebsite: 'CreateOrUpdateWebsite' WebsiteName: 'testwebsite' WebsitePhysicalPath: '%SystemDrive%\inetpub\wwwroot\testwebsite' WebsitePhysicalPathAuth: 'WebsiteUserPassThrough' CreateOrUpdateAppPoolForWebsite: true AppPoolNameForWebsite: 'testapppoool' DotNetVersionForWebsite: 'No Managed Code' ConfigureAuthenticationForWebsite: true AnonymousAuthenticationForWebsite: true AddBinding: true Bindings: | { bindings:[ { "protocol":"http", "ipAddress":"*", "hostname":"", "port":"80", "sslThumbprint":"", "sniFlag":false }, { "protocol":"https", "ipAddress":"*", "hostname":"", "port":"443", "sslThumbprint":"$(Thumbprint)", "sniFlag":false } ] }
I have somewhat identical setup, one http
and one https
with "sniFlag": true
. Both with a specified hostname
, otherwise pretty much the same.
The first run everything is setup just fine, all following runs results in.
SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.
##[error]Process 'netsh' exited with code '1'.
Is this because of the same issues mentioned in this thread?
I have something more like
- task: IISWebAppManagementOnMachineGroup@0
displayName: 'Create: Website & AppPool'
inputs:
IISDeploymentType: 'IISWebsite'
ActionIISWebsite: 'CreateOrUpdateWebsite'
ActionIISApplicationPool: 'CreateOrUpdateAppPool'
WebsiteName: '$(iis.siteName)'
WebsitePhysicalPath: '$(iis.wwwRootPath)\${{ parameters.versionedFolderName }}\'
WebsitePhysicalPathAuth: 'WebsiteUserPassThrough'
CreateOrUpdateAppPoolForWebsite: true
AppPoolNameForWebsite: '$(iis.appPoolName)'
DotNetVersionForWebsite: 'No Managed Code'
PipeLineModeForWebsite: 'Integrated'
AppPoolIdentityForWebsite: '${{ parameters.appPoolIdentity }}'
AppPoolUsernameForWebsite: '$(iis.appPoolUsername)'
AppPoolPasswordForWebsite: '$(iis.appPoolPassword)'
AddBinding: true
Bindings:|
{
bindings: [
{
"protocol":"http",
"ipAddress":"*",
"hostname":"thedomainname.com",
"port":"80",
"sslThumbprint":"",
"sniFlag":false
},
{
"protocol":"http",
"ipAddress":"*",
"hostname":"localhost",
"port":"80",
"sslThumbprint":"",
"sniFlag":false
},
{
"protocol":"https",
"ipAddress":"*",
"hostname":"thedomainname.com",
"port":"443",
"sslThumbprint":"$(iis.sslThumbprint)",
"sniFlag":true
}
]
}
Running into the same issue with the same setup as @jonascarlbaum First time always works, second time get the error
SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.
##[error]Process 'netsh' exited with code '1'.
Any update on this @LeftTwixWand
Yep, this is really bad @scsloan. Did a workaround, canāt copy on my phone right now, but can screenshot the outline of the task I run prior this one now.
The missing part on bottom line is =thedomainname.com:443ā
Yep, this is really bad @scsloan. Did a workaround, canāt copy on my phone right now, but can screenshot the outline of the task I run prior this one now.
The missing part on bottom line is
=thedomainname.com:443ā
I feel this workaround is not a valid solution in the long runā¦
Thanks for sharing your workaround @jonascarlbaum.
Thanks for sharing your workaround @jonascarlbaum.
No problems @scsloan!
But I would love a permanent fix!
@LeftTwixWand is these issues going to be addressed and fixed any time soon?
Why hasn't this PR been merged? I'm having this problem and would really appreciate to have it fixed.
Why hasn't this PR been merged? I'm having this problem and would really appreciate to have it fixed.
Think the fix isnāt in correct files. But I had hopes someone had solves this after such long timeā¦ Since the issue is easily reproducable it would be something that just should be solved. More and more people will get trouble using these tasksā¦
Why hasn't this PR been merged? I'm having this problem and would really appreciate to have it fixed.
Think the fix isnāt in correct files. But I had hopes someone had solves this after such long timeā¦ Since the issue is easily reproducable it would be something that just should be solved. More and more people will get trouble using these tasksā¦
Yes. Frankly, how do we request priority on these issues? The task seems to have been abandoned 5 years ago - no new commits for five years!? But as far as I know the deployment group/agent approach for DevOps release pipelines hasn't been deprecated, so the task needs to keep up.
@coolhome @LeftTwixWand any update on this? We are waiting to move from TeamCity/Octopus to AzurePipelines and this is a major roadblock for us as we would like to be able to target Windows Server 2022 for our deployments.
Any updates on this topic?
@CJohannimloh I haven't heard anything back. So instead we are looking at just disable Add Bindings
as part of this task and instead use Powershell script to add bindings.
@colhouse-hakh: Ye sure. We are doing the same but still want a better solution
Hi @colhouse-hakh @CJohannimloh, Can anyone of you please share the debugged logs of the pipeline? It would be beneficial for us to know the issue in more detail.
Hi @colhouse-hakh @CJohannimloh, Can anyone of you please share the debugged logs of the pipeline? It would be beneficial for us to know the issue in more detail.
What exactly do you need? I guessed all the informations are available in the PR
Hi @colhouse-hakh @CJohannimloh, Can anyone of you please share the debugged logs of the pipeline? It would be beneficial for us to know the issue in more detail.
What exactly do you need? I guessed all the informations are available in the PR
We need pipeline logs as similar fix we did for the issue but still many of you are still having some issues. https://github.com/microsoft/azure-pipelines-extensions/pull/1220
Of course we canāt mess with current production environments. Itās easier doing such things during the time you build the pipeline.
But the only relevant part of the logs seems still being the part
SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.
##[error]Process 'netsh' exited with code '1'.
@v-schhabra Here are the logs for a deployment that failed
2024-05-01T10:26:00.6238324Z ##[section]Starting: Create/Update Web Site 2024-05-01T10:26:01.1665499Z ============================================================================== 2024-05-01T10:26:01.1667818Z Task : IIS web app manage 2024-05-01T10:26:01.1668987Z Description : Create or update websites, web apps, virtual directories, or application pools 2024-05-01T10:26:01.1669561Z Version : 0.238.0 2024-05-01T10:26:01.1673061Z Author : Microsoft Corporation 2024-05-01T10:26:01.1674335Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/iis-web-app-management-on-machine-group 2024-05-01T10:26:01.1675215Z ============================================================================== 2024-05-01T10:26:19.3145903Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" list apppool /name:"WebSite" 2024-05-01T10:26:20.4391239Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" add apppool /name:"WebSite" 2024-05-01T10:26:20.7692289Z APPPOOL object "WebSite" added 2024-05-01T10:26:20.9568474Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" set apppool /apppool.name:"WebSite" -managedRuntimeVersion:v4.0 -managedPipelineMode:Integrated -processModel.identityType:SpecificUser -processModel.userName:"username" -processModel.password:"*" 2024-05-01T10:26:21.3089032Z APPPOOL object "WebSite" changed 2024-05-01T10:26:21.3641320Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" list site /name:"WebSite" 2024-05-01T10:26:21.6888764Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" add site /name:"WebSite" /physicalPath:"D:\IISSites\WebSite" 2024-05-01T10:26:22.0018947Z SITE object "WebSite" added 2024-05-01T10:26:22.0019766Z APP object "WebSite/" added 2024-05-01T10:26:22.0022428Z VDIR object "WebSite/" added 2024-05-01T10:26:22.2290692Z 2024-05-01T10:26:22.2439282Z 2024-05-01T10:26:22.2746937Z Directory: D:\IISSites 2024-05-01T10:26:22.2747951Z 2024-05-01T10:26:22.2750072Z 2024-05-01T10:26:22.3004034Z Mode LastWriteTime Length Name
2024-05-01T10:26:22.3034457Z ---- ------------- ------ ----
2024-05-01T10:26:22.3099087Z d----- 5/1/2024 8:26 PM WebSite
2024-05-01T10:26:22.3672388Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" set site /site.name:"WebSite" -applicationDefaults.applicationPool:"WebSite" -[path='/'].[path='/'].physicalPath:"D:\IISSites\WebSite" -[path='/'].[path='/'].userName: -[path='/'].[path='/'].password: 2024-05-01T10:26:22.7064599Z SITE object "WebSite" changed 2024-05-01T10:26:22.8631466Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" list sites 2024-05-01T10:26:23.2581176Z ##[command]"C:\Windows\system32\inetsrv\appcmd.exe" set site /site.name:"WebSite" /+bindings.[protocol='https',bindingInformation=':443:website.xxxxxx.com.au'] 2024-05-01T10:26:23.6242453Z SITE object "WebSite" changed 2024-05-01T10:26:23.7042966Z ##[command]"netsh" http show sslcert ipport=0.0.0.0:443 2024-05-01T10:26:24.0984427Z ##[command]"netsh" http add sslcert ipport=0.0.0.0:443 certhash= appid={****----****} certstorename=MY 2024-05-01T10:26:24.5099595Z 2024-05-01T10:26:24.5100361Z SSL Certificate add failed, Error: 183 2024-05-01T10:26:24.5110360Z Cannot create a file when that file already exists. 2024-05-01T10:26:24.5110801Z 2024-05-01T10:26:24.5110975Z 2024-05-01T10:26:25.2302820Z ##[error]Process 'netsh' exited with code '1'. 2024-05-01T10:26:25.5587658Z ##[section]Finishing: Create/Update WebSite Site
The error is described in more details in issue #1008 has all the details you require for this ticket. This ticket was also mentioned by @coolhome in this PR on 23rd May 2023.
Support multiple certificate and different number of empty lines for netsh. fix #919