tag:help.appveyor.com,2012-11-13:/discussions/problems/6185-self-signed-localhost-ssl-cert-appveyor-agent-vm-imageAppVeyor: Discussion 2018-08-25T02:15:23Ztag:help.appveyor.com,2012-11-13:Comment/420614532017-03-01T23:10:28Z2017-03-01T23:10:28ZSelf-Signed localhost SSL Cert / AppVeyor Agent VM Image<div><p>Hi Rob,</p>
<p>I don't see anything very suspicious in your script. However I
can speculate that maybe sometimes script did not reach
<code>netsh</code> part of code. I would recommend to add some
tracing to that part, or throw if <code>$iisExpressCert is
$null</code>.</p>
<p>Slim chance that this can happen because
<code>[DateTime]::Parse($_.GetEffectiveDateString()).Date -eq
[DateTime]::Today</code> is evaluated to <code>false</code>
sometimes. Does failure happen any time or maybe close to UTC
midnight?</p>
<p>Also please run this every time before test:<br></p>
<pre>
<code>- ps: |
$job = Start-Job -ScriptBlock {openssl s_client -connect localhost:44301}; $count = 0; $output; while ($output -eq $null -and $count -lt 5){$count++; sleep 2; $output = Receive-Job $job}
$output | openssl x509 -noout -dates</code>
</pre>
and compare output for bad and good builds. Thus we can see if cert
actually exists and has correct dates.
<p>Another possibility is that HTTPS bindings where not ready at
the moment of ping. If this is true, testing with OpenSsl will hide
this issue and it will start working.</p>
<p>And yes, build VMs are absolutely identical.</p>
<p>Please let us know what you found.</p>
<p>Ilya.</p></div>Ilya Finkelshteyntag:help.appveyor.com,2012-11-13:Comment/420614532017-03-02T12:39:05Z2017-03-02T12:39:05ZSelf-Signed localhost SSL Cert / AppVeyor Agent VM Image<div><p>Hi Ilya,</p>
<p>Thank you so much for your swift response, really top notch
customer support.</p>
<p>Thank you for your helpful diagnostic tips! I think using the
AuthRoot store rather than Root store could be the root cause of
the issue. (<a href="http://superuser.com/a/224687">http://superuser.com/a/224687</a>).</p>
<p>When debugging via RDP today, on every build the cert would be
installed into the "trusted root certification authorities" store
(when viewing from MMC.exe's Certificates snap-in) - but seemingly
as soon as I indirectly interacted with the cert by connecting to a
port where it was bound, or refreshing the Certificates folder in
MMC. the cert would vanish from the store.</p>
<p>I've read in a few discussions online that Windows periodically
removes third party certificates that look dodgy. Maybe I just got
lucky with 5 builds in a row where this cleanup did not take place
yesterday?</p>
<p>I'll post again to confirm that the issue has been resolved
after some more testing, in hope that it may help others looking to
solve a similar issue.</p>
<p>Thanks again,</p>
<p>Rob</p></div>bellrtag:help.appveyor.com,2012-11-13:Comment/420614532017-03-02T22:18:28Z2017-03-02T22:18:28ZSelf-Signed localhost SSL Cert / AppVeyor Agent VM Image<div><p>Thank you for good words and for sharing your findings!</p>
<p>I did some digging on top of your findings and I believe you can
disable this behavior according to <a href="http://toastergremlin.com/?p=144">this</a> article. And it seems
that you can automatically do it by adding
<code>DisableRootAutoUpdate</code> DWORD value 0x00000001 at
<code>HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\</code>.
Maybe you can simple add the following at <code>install</code>
stage and all will become OK:<br></p>
<pre>
<code>New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot -Name DisableRootAutoUpdate -Value 00000001 -PropertyType "DWord"</code>
</pre>
<p>Ilya.</p></div>Ilya Finkelshteyn