I am deploying an IIS website that has two HTTPS site bindings that use different SSL certificates.
I am running into the following exception:
Executing feature-class 'Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature'
System.Exception: Could not find certificate with thumbprint '<redacted>' in store Cert:\LocalMachine\Root
at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules)
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables)
at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment)
at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature)
at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment)
You can see that both certificates are found, but in two different locations:
- First store name
- Second store name
I dug into the code a bit and in iisWebSiteBeforeDeployFeature.cs the site bindings are iterated over:
But notice that the
SpecialVariables.Action.IisWebSite.Output.CertificateStoreName is set to the last certificate store name we found in all site bindings.
In iisWebSiteAfterPostDeployFeature.cs we reference
SpecialVariables.Action.IisWebSite.Output.CertificateStoreName for each binding that we are checking and it is possible that this store name might not always be the same (as shown in my example):
Which ultimately results in the following exception:
Digging further, when you choose an SSL cert for an IIS site binding, certs are presented from either the Personal or Web Hosting store. With this, shouldn’t these scripts above be looking in the Personal or Web Hosting store only and not the Root store?