When removing an HTTPS bindings that is bound to all IPs (’*’/’ '/‘0.0.0.0’) it clears the cert from all other HTTPS bindings on the same port, leaving them with no cert, breaking HTTPS.
The issue occurs when this line from Calamari is executed: https://github.com/OctopusDeploy/Calamari/blob/d289c5d950022dd60cc9e547168464cbfd02d438/source/Calamari/Scripts/Octopus.Features.IISWebSite_BeforePostDeploy.ps1#L719
So this gets executed: netsh http delete sslcert ipport="0.0.0.0:443"
and all of the bindings that used that cert gets cleared and are left without a cert on the binding breaking SSL.
Here is what it looks like in the logs:
14:00:12 Verbose | Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12 Info | Comparing existing IIS bindings with configured bindings...
14:00:12 Info | Found existing non-configured binding: http *:80:redacted1.domain.com
14:00:12 Info | Found existing non-configured binding: http *:80:redacted2.domain.com
14:00:12 Info | Found existing non-configured binding: http *:80:redacted3.domain.com
14:00:12 Info | Found existing non-configured binding: http *:80:redacted4.domain.com
14:00:12 Info | Found existing non-configured binding: https *:443:env-redacted1.domain.com
14:00:12 Info | Found existing non-configured binding: http *:80:env-redacted1.domain.com
14:00:12 Info | Existing IIS bindings do not match configured bindings.
14:00:12 Info | Clearing IIS bindings
14:00:12 Info | Assigning binding: http *:80:redacted.domain.com
14:00:12 Info | Assigning binding: https *:443:redacted.domain.com
14:00:12 Info | Removing unused SSL certificate binding: 0.0.0.0:443
14:00:12 Info | SSL Certificate successfully deleted
14:00:12 Info | 0
14:00:12 Verbose | Acquired SemaphoreInstance Global\Octopus-IIS-Metabase
14:00:12 Info | Anonymous authentication enabled: True
14:00:12 Info | Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/REDACTED" at configuration commit path "MACHINE/WEBROOT/APPHOST"
14:00:12 Info | 0
Since *:443:env-redacted1.domain.com
is *:443 when it tries to remove that bindings , it clears all of the bindings, since several other bindings are also on *:443.
I think this issue only started when I started using Octopus Deploys new built in certificate store to apply my certs to the bindings.