4

I'm trying to deploy multiple websites to a single host running IIS from TFS 2015. I'm trying to have all sites use the "Server Name Indication Required" option so that they all can run under the same IP address. (This setup works fine in IIS if I manually set everything up -- my question / problem comes from deploying from TFS 2015).

The FIRST site in the deploy chain works fine, but the any subsequent one seems to fail with the following error:

System.Exception:  SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists.

Each of the sites I'm deploying has a different SSL certificate and I've imported them all properly to the Local Machine\Personal store.

A screenshot of the release definition with the "IIS Web App Management" task highlighted is shown below.

enter image description here

Any suggestions on how to resolve this error within the release definition so that I can deploy cleanly without manual intervention?

I guess one thing I could try is to do ALL of the IIS management steps from PowerShell but was hoping to use the tools a little more fully rather than rolling new scripts to do what it seems that they SHOULD be able to do natively.

Any insight is appreciated.

Erik Dahl
  • 478
  • 5
  • 12
  • I had this error message, and the problem turned out to be that I was using the wrong SSL certificate thumb print in the IIS App Management task. I had cloned environments and didn't update the value. – Francis Dean Apr 15 '19 at 14:39

2 Answers2

1

The error message will appear if you try to bind the certificate to a port which is already binded to this or another certificate.

You can try to set different ports for the sites.

You can also try adding a step (Command line/Powershell step) to delete the existing binding before next deploy step if that does not affect the sites.

eg:

$> netsh http delete sslcert ipport:1.1.1.1:443

Reference below articles to delete the binding:

Andy Li-MSFT
  • 28,712
  • 2
  • 33
  • 55
  • 2
    Thanks for the response -- I wanted to keep the bindings and use Server Name Identification (SNI) and so the solution I found below works without removing bindings. – Erik Dahl Dec 05 '17 at 16:08
  • The proper command is: `netsh http delete sslcert ipport=1.1.1.1:443`. Note the equal sign instead of colon. – Fejs Jan 13 '23 at 04:59
1

I got things working - but I had to basically eliminate the binding configuration from the WinRM - IIS App Management tasks. I kept everything the same but specified NO binding information at all in those tasks, then added a target machine power shell script that looked like this (thumbprints and site domains changed):

Import-Module WebAdministration

if ($null -eq (Get-WebBinding | Where-Object {$_.BindingInformation -eq "*:443:iddev.mydomain.com"}))
{
    New-WebBinding -Name "Identity-B2B" -Port 443 -Protocol "https" -HostHeader "iddev.mydomain.com" -SslFlags 1
    New-Item -Path "IIS:\SslBindings\!443!iddev.mydomain.com" -Thumbprint "88E811B7A9417DACAAAAAAAAAA1C36AA0BA238FF1E0F" -SSLFlags 1
}

if ($null -eq (Get-WebBinding | Where-Object {$_.BindingInformation -eq "*:443:iddev.myotherdomain.com"}))
{    
    New-WebBinding -Name "Identity-B2C" -Port 443 -Protocol "https" -HostHeader "iddev.myotherdomain.com" -SslFlags 1
    New-Item -Path "IIS:\SslBindings\!443!iddev.myotherdomain.com" -Thumbprint "BE38195A2BBBBBBBBBBBBBBB1C2AB5762C9" -SSLFlags 1
}
Erik Dahl
  • 478
  • 5
  • 12