[BUG] Task 'IIS web app manage' fails to update existing https binding with updated certificate thumbprint

[bjuraga]

Question, Bug, or Feature?
Type: Bug

Enter Task Name:IIS web app manage

Environment

• Server - Azure Pipelines
• Agent - Private
  • OS of the machine running the agent: Windows_NT 10.0.14393
  • agent version: 2.192.0

Issue Description

The issue happens when you use the 'IIS web app manage' task to Create or Update an IIS Website that has existing https binding.

When using SNI it is common to generate a new certificate when you change the hostnames for the SSL certificate. Common scenarion would be adding a new API component for example. When you generate a new certificate with the added hostname for SNI you get a different Certificate Thumbprint.

Using the task 'IIS web app manage', during deployment, if you opt in to add bindings and you add an https binding with the new certificate thumbprint and use SNI the task group fails with the error below.

The reason is that there already is a binding but it only has a different thumbprint.

Suspect code:
In the 'Add-SslCert' function here there is this check:

if($isItSameBinding -and $isItSameCert)
    {
        Write-Verbose "SSL cert binding already present.. returning"
        return
    }

which i would suggest to change to:

if($isItSameBinding)
    {
        if($isItSameCert) 
        {
            Write-Verbose "SSL cert binding already present with same certificate.. returning"
            return
        }
        else
        {
           Write-Verbose "SSL cert binding already present with different certificate.. removing the binding"
           Run-Command -command $removeCertCmd # $removeCertCmd is equal to $addCertCmd except instead of the add command it uses delete (update is also an option)
        }
    }

Task logs and Error logs

##[section]Starting: Create IIS Website and AppPool ***redacted***
==============================================================================
Task         : IIS web app manage
Description  : Create or update websites, web apps, virtual directories, or application pools
Version      : 0.5.15
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/iis***web***app***management***on***machine***group
==============================================================================
##[command]"C:\Windows\system32\inetsrv\appcmd.exe"  list apppool /name:"***redacted***"
##[command]"C:\Windows\system32\inetsrv\appcmd.exe"  set apppool /apppool.name:"p***redacted***" ***managedRuntimeVersion: ***managedPipelineMode:Integrated ***processModel.identityType:ApplicationPoolIdentity
APPPOOL object "***redacted***" changed
##[command]"C:\Windows\system32\inetsrv\appcmd.exe"  list site /name:"***redacted***"
##[command]"C:\Windows\system32\inetsrv\appcmd.exe"  set site /site.name:"***redacted***" ***applicationDefaults.applicationPool:"***redacted***" ***[path='/'].[path='/'].physicalPath:"***redacted***" ***[path='/'].[path='/'].userName: ***[path='/'].[path='/'].password:
SITE object "***redacted***" changed
##[command]"C:\Windows\system32\inetsrv\appcmd.exe"  list sites
##[command]"netsh" http show sslcert hostnameport=***redacted***:443
##[command]"netsh" http add sslcert hostnameport=***redacted***:443 certhash=***redacted*** appid={***redacted***} certstorename=MY

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.


##[error]Process 'netsh' exited with code '1'.
##[section]Finishing: Create IIS Website and AppPool ***redacted***

[github-actions]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[v-schhabra]

Hi @coolhome, @milliamp
The mentioned issue has been fixed in this PR microsoft/azure-pipelines-extensions#1220
Could you please use the IISWebAppManagementV3 version of the task and test if it is working fine?