Could not set security on private-key when deploying package to IIS

Hi,

In one of our environments we’re getting the following error when deploying a package to IIS.

I have found another post with what appears to be the same\similar issue but the resolution doesn’t work for us. Could not set security on private-key

Both the app pool and octopus service accounts have system admin rights. They also have full control over the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

I have also tried removing the certificates from the certificate store and re-adding.

Do you have any ideas what might be causing this issue?

ERROR
IIS configuration complete
14:48:43 Verbose | Deleting ‘c:\Program Files\Dataract\e5\WebServices\Octopus.Features.IISWebSite_BeforePostDeploy.ps1’
14:48:43 Verbose | Executing feature-class ‘Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature’
14:48:43 Error | System.Exception: Could not set security on private-key —> System.Security.Cryptography.CryptographicException: Access is denied.
14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetCspPrivateKeySecurity(SafeCertContextHandle certificate, ICollection1 accessRules) 14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection1 accessRules, SafeCertContextHandle certificate)
14:48:43 Error | — End of inner exception stack trace —
14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection1 accessRules, SafeCertContextHandle certificate) 14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection1 privateKeyAccessRules)
14:48:43 Error | at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables)
14:48:43 Error | at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment)
14:48:43 Error | at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature)
14:48:43 Error | at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment)
14:48:43 Error | at Calamari.Deployment.ConventionProcessor.RunInstallConventions()
14:48:43 Error | at Calamari.Deployment.ConventionProcessor.RunConventions()
14:48:43 Error | Running rollback conventions…
14:48:43 Verbose | Adding journal entry:
14:48:43 Verbose |
14:48:43 Error | Could not set security on private-key
14:48:43 Error | System.Exception
14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection1 accessRules, SafeCertContextHandle certificate) 14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection1 privateKeyAccessRules)
14:48:43 Error | at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.EnsureApplicationPoolHasCertificatePrivateKeyAccess(VariableDictionary variables)
14:48:43 Error | at Calamari.Deployment.Features.IisWebSiteAfterPostDeployFeature.Execute(RunningDeployment deployment)
14:48:43 Error | at Calamari.Deployment.Conventions.FeatureConventionBase.ExecuteFeatureClasses(RunningDeployment deployment, String feature)
14:48:43 Error | at Calamari.Deployment.Conventions.FeatureConventionBase.Run(RunningDeployment deployment)
14:48:43 Error | at Calamari.Deployment.ConventionProcessor.RunInstallConventions()
14:48:43 Error | at Calamari.Deployment.ConventionProcessor.RunConventions()
14:48:43 Error | at Calamari.Commands.DeployPackageCommand.Execute(String[] commandLineArguments)
14:48:43 Error | at Calamari.Program.Execute(String[] args)
14:48:43 Error | --Inner Exception–
14:48:43 Error | Access is denied.
14:48:43 Error | System.Security.Cryptography.CryptographicException
14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetCspPrivateKeySecurity(SafeCertContextHandle certificate, ICollection1 accessRules) 14:48:43 Error | at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection1 accessRules, SafeCertContextHandle certificate)
14:48:43 Verbose | Process C:\Windows\system32\WindowsPowershell\v1.0\PowerShell.exe in C:\Octopus\Work\20200122034833-62252-198 exited with code 100
14:48:43 Verbose | Updating manifest with output variables
14:48:43 Verbose | Updating manifest with action evaluated variables
14:48:43 Fatal | The remote script failed with exit code 100

Hi @pnolan,

Thanks for getting in touch!

I’ve responded to your email you sent through, so we can continue to troubleshoot this there if that is ok?

Regards,
Paul