public void UpdateBinding(IISSiteWrapper site, IISBindingWrapper existingBinding, BindingOptions options) { // Replace instead of change binding because of #371 var handled = new[] { "protocol", "bindingInformation", "sslFlags", "certificateStoreName", "certificateHash" }; var replacement = site.Site.Bindings.CreateElement("binding"); replacement.Protocol = existingBinding.Protocol; replacement.BindingInformation = existingBinding.BindingInformation; replacement.CertificateStoreName = options.Store; replacement.CertificateHash = options.Thumbprint; foreach (var attr in existingBinding.Binding.Attributes) { try { if (!handled.Contains(attr.Name) && attr.Value != null) { replacement.SetAttributeValue(attr.Name, attr.Value); } } catch (Exception ex) { _log.Warning("Unable to set attribute {name} on new binding: {ex}", attr.Name, ex.Message); } } if (options.Flags > 0) { replacement.SetAttributeValue("sslFlags", options.Flags); } site.Site.Bindings.Remove(existingBinding.Binding); site.Site.Bindings.Add(replacement); }
/// <summary> /// Create or update a single binding in a single site /// </summary> /// <param name="site"></param> /// <param name="host"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> /// <param name="port"></param> /// <param name="ipAddress"></param> /// <param name="fuzzy"></param> private string AddOrUpdateBindings(Binding[] allBindings, IISSiteWrapper site, BindingOptions bindingOptions, bool fuzzy) { // Get all bindings which could map to the host var matchingBindings = site.Site.Bindings. Select(x => new { binding = x, fit = Fits(x.Host, bindingOptions.Host, bindingOptions.Flags) }). Where(x => x.fit > 0). OrderByDescending(x => x.fit). ToList(); var httpsMatches = matchingBindings.Where(x => x.binding.Protocol == "https"); var httpMatches = matchingBindings.Where(x => x.binding.Protocol == "http"); // Existing https binding for exactly the domain we are looking for, will be // updated to use the new ACME certificate var perfectHttpsMatches = httpsMatches.Where(x => x.fit == 100); if (perfectHttpsMatches.Any()) { foreach (var perfectMatch in perfectHttpsMatches) { var updateOptions = bindingOptions.WithFlags(UpdateFlags(bindingOptions.Flags, perfectMatch.binding, allBindings)); UpdateBinding(site.Site, perfectMatch.binding, updateOptions); } return(bindingOptions.Host); } // If we find a http-binding for the domain, a corresponding https binding // is set up to match incoming secure traffic var perfectHttpMatches = httpMatches.Where(x => x.fit == 100); if (perfectHttpMatches.Any()) { if (AllowAdd(bindingOptions, allBindings)) { AddBinding(site, bindingOptions); return(bindingOptions.Host); } } // Allow partial matching. Doesn't work for IIS CCS. Also // should not be used for TLS-SNI validation. if (bindingOptions.Host.StartsWith("*.") || fuzzy) { httpsMatches = httpsMatches.Except(perfectHttpsMatches); httpMatches = httpMatches.Except(perfectHttpMatches); // There are no perfect matches for the domain, so at this point we start // to look at wildcard and/or default bindings binding. Since they are // order by 'best fit' we look at the first one. if (httpsMatches.Any()) { var bestMatch = httpsMatches.First(); var updateFlags = UpdateFlags(bindingOptions.Flags, bestMatch.binding, allBindings); var updateOptions = bindingOptions.WithFlags(updateFlags); UpdateBinding(site.Site, bestMatch.binding, updateOptions); return(bestMatch.binding.Host); } // Nothing on https, then start to look at http if (httpMatches.Any()) { var bestMatch = httpMatches.First(); var addOptions = bindingOptions.WithHost(bestMatch.binding.Host); if (AllowAdd(addOptions, allBindings)) { AddBinding(site, addOptions); return(bestMatch.binding.Host); } } } // At this point we haven't even found a partial match for our hostname // so as the ultimate step we create new https binding if (AllowAdd(bindingOptions, allBindings)) { AddBinding(site, bindingOptions); return(bindingOptions.Host); } return(null); }
/// <summary> /// Update existing bindng /// </summary> /// <param name="site"></param> /// <param name="existingBinding"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> private void UpdateBinding(Site site, Binding existingBinding, BindingOptions options) { // Check flags options = options.WithFlags(CheckFlags(existingBinding.Host, options.Flags)); // IIS 7.x is very picky about accessing the sslFlags attribute var currentFlags = existingBinding.SSLFlags(); if ((currentFlags & ~SSLFlags.SNI) == (options.Flags & ~SSLFlags.SNI) && // Don't care about SNI status ((options.Store == null && existingBinding.CertificateStoreName == null) || StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) && string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase))) { _log.Verbose("No binding update needed"); } else { _log.Information(true, "Updating existing https binding {host}:{port}", existingBinding.Host, existingBinding.EndPoint.Port); // Replace instead of change binding because of #371 var handled = new[] { "protocol", "bindingInformation", "sslFlags", "certificateStoreName", "certificateHash" }; var replacement = site.Bindings.CreateElement("binding"); replacement.Protocol = existingBinding.Protocol; replacement.BindingInformation = existingBinding.BindingInformation; replacement.CertificateStoreName = options.Store; replacement.CertificateHash = options.Thumbprint; foreach (var attr in existingBinding.Attributes) { try { if (!handled.Contains(attr.Name) && attr.Value != null) { replacement.SetAttributeValue(attr.Name, attr.Value); } } catch (Exception ex) { _log.Warning("Unable to set attribute {name} on new binding: {ex}", attr.Name, ex.Message); } } // If current binding has SNI, the updated version // will also have that flag set, regardless // of whether or not it was requested by the caller. // Callers should not generally request SNI unless // required for the binding, e.g. for TLS-SNI validation. // Otherwise let the admin be in control. if (currentFlags.HasFlag(SSLFlags.SNI)) { options = options.WithFlags(options.Flags | SSLFlags.SNI); } if (options.Flags > 0) { replacement.SetAttributeValue("sslFlags", options.Flags); } site.Bindings.Remove(existingBinding); site.Bindings.Add(replacement); } }
/// <summary> /// Update/create bindings for all host names in the certificate /// </summary> /// <param name="target"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> public void AddOrUpdateBindings(IEnumerable <string> identifiers, BindingOptions bindingOptions, byte[] oldThumbprint) { try { IEnumerable <(IISSiteWrapper site, Binding binding)> allBindings = WebSites. SelectMany(site => site.Site.Bindings, (site, binding) => (site, binding)). ToList(); var bindingsUpdated = 0; var found = new List <string>(); if (oldThumbprint != null) { var siteBindings = allBindings. Where(sb => StructuralComparisons.StructuralEqualityComparer.Equals(sb.binding.CertificateHash, oldThumbprint)). ToList(); // Update all bindings created using the previous certificate foreach (var(site, binding) in siteBindings) { try { UpdateBinding(site.Site, binding, bindingOptions); found.Add(binding.Host); bindingsUpdated += 1; } catch (Exception ex) { _log.Error(ex, "Error updating binding {host}", binding.BindingInformation); throw; } } } // Find all hostnames which are not covered by any of the already updated // bindings yet, because we will want to make sure that those are accessable // in the target site var targetSite = GetWebSite(bindingOptions.SiteId ?? -1); IEnumerable <string> todo = identifiers; while (todo.Any()) { // Filter by previously matched bindings todo = todo.Where(cert => !found.Any(iis => Fits(iis, cert, bindingOptions.Flags) > 0)); if (!todo.Any()) { break; } var current = todo.First(); try { var binding = AddOrUpdateBindings( allBindings.Select(x => x.binding).ToArray(), targetSite, bindingOptions.WithHost(current), !bindingOptions.Flags.HasFlag(SSLFlags.CentralSSL)); // Allow a single newly created binding to match with // multiple hostnames on the todo list, e.g. the *.example.com binding // matches with both a.example.com and b.example.com if (binding == null) { // We were unable to create the binding because it would // lead to a duplicate. Pretend that we did add it to // still be able to get out of the loop; found.Add(current); } else { found.Add(binding); bindingsUpdated += 1; } } catch (Exception ex) { _log.Error(ex, "Error creating binding {host}: {ex}", current, ex.Message); // Prevent infinite retry loop, we just skip the domain when // an error happens creating a new binding for it. User can // always change/add the bindings manually after all. found.Add(current); } } if (bindingsUpdated > 0) { _log.Information("Committing {count} {type} binding changes to IIS", bindingsUpdated, "https"); Commit(); } else { _log.Warning("No bindings have been changed"); } } catch (Exception ex) { _log.Error(ex, "Error installing"); throw; } }
/// <summary> /// Create a new binding /// </summary> /// <param name="site"></param> /// <param name="host"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> /// <param name="port"></param> /// <param name="IP"></param> private IIISBinding AddBinding(TSite site, BindingOptions options) { options = options.WithFlags(CheckFlags(true, options.Host, options.Flags)); _log.Information(LogType.All, "Adding new https binding {binding}", options.Binding); return(_client.AddBinding(site, options)); }
/// <summary> /// Update/create bindings for all host names in the certificate /// </summary> /// <param name="target"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> public int AddOrUpdateBindings( IEnumerable <Identifier> identifiers, BindingOptions bindingOptions, byte[]?oldThumbprint) { // Helper function to get updated sites IEnumerable <(TSite site, TBinding binding)> GetAllSites() => _client.Sites. SelectMany(site => site.Bindings, (site, binding) => (site, binding)). ToList(); try { var allBindings = GetAllSites(); var bindingsUpdated = 0; var found = new List <IIISBinding>(); if (oldThumbprint != null) { var siteBindings = allBindings. Where(sb => StructuralComparisons.StructuralEqualityComparer.Equals(sb.binding.CertificateHash, oldThumbprint)). ToList(); // Update all bindings created using the previous certificate foreach (var(site, binding) in siteBindings) { try { // Only update if the old binding actually matches // with the new certificate if (identifiers.Any(i => Fits(binding, i, SSLFlags.None) > 0)) { found.Add(binding); if (UpdateBinding(site, binding, bindingOptions)) { bindingsUpdated += 1; } } else { _log.Warning( "Existing https binding {host}:{port}{ip} not updated because it doesn't seem to match the new certificate!", binding.Host, binding.Port, string.IsNullOrEmpty(binding.IP) ? "" : $":{binding.IP}"); } } catch (Exception ex) { _log.Error(ex, "Error updating binding {host}", binding.BindingInformation); throw; } } } if (bindingOptions.SiteId == null) { return(bindingsUpdated); } // Find all hostnames which are not covered by any of the already updated // bindings yet, because we will want to make sure that those are accessable // in the target site var targetSite = _client.GetSite(bindingOptions.SiteId.Value, IISSiteType.Web); var todo = identifiers; while (todo.Any()) { // Filter by previously matched bindings todo = todo.Where(cert => !found.Any(iis => Fits(iis, cert, bindingOptions.Flags) > 0)); if (!todo.Any()) { break; } allBindings = GetAllSites(); var current = todo.First(); try { var(hostFound, bindings) = AddOrUpdateBindings( allBindings.Select(x => x.binding).ToArray(), targetSite, bindingOptions.WithHost(current.Value)); // Allow a single newly created binding to match with // multiple hostnames on the todo list, e.g. the *.example.com binding // matches with both a.example.com and b.example.com if (hostFound == null) { // We were unable to create the binding because it would // lead to a duplicate. Pretend that we did add it to // still be able to get out of the loop; found.Add(new DummyBinding(current)); } else { found.Add(hostFound); bindingsUpdated += bindings; } } catch (Exception ex) { _log.Error(ex, "Error creating binding {host}: {ex}", current, ex.Message); // Prevent infinite retry loop, we just skip the domain when // an error happens creating a new binding for it. User can // always change/add the bindings manually after all. found.Add(new DummyBinding(current)); } } return(bindingsUpdated); } catch (Exception ex) { _log.Error(ex, "Error installing"); throw; } }
/// <summary> /// Create or update a single binding in a single site /// </summary> /// <param name="site"></param> /// <param name="host"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> /// <param name="port"></param> /// <param name="ipAddress"></param> /// <param name="fuzzy"></param> private (IIISBinding?, int) AddOrUpdateBindings(TBinding[] allBindings, TSite site, BindingOptions bindingOptions) { if (bindingOptions.Host == null) { throw new InvalidOperationException("bindingOptions.Host is null"); } // Require IIS manager to commit var commit = 0; // Get all bindings which could map to the host var matchingBindings = site.Bindings. Select(x => new { binding = x, fit = Fits(x, new DnsIdentifier(bindingOptions.Host), bindingOptions.Flags) }). Where(x => x.fit > 0). OrderByDescending(x => x.fit). ToList(); // If there are any bindings if (matchingBindings.Any()) { var bestMatch = matchingBindings.First(); var bestMatches = matchingBindings.Where(x => x.binding.Host == bestMatch.binding.Host); if (bestMatch.fit == 100 || !bindingOptions.Flags.HasFlag(SSLFlags.CentralSsl)) { // All existing https bindings var existing = bestMatches. Where(x => x.binding.Protocol == "https"). Select(x => x.binding.BindingInformation.ToLower()). ToList(); foreach (var match in bestMatches) { var isHttps = match.binding.Protocol == "https"; if (isHttps) { if (UpdateExistingBindingFlags(bindingOptions.Flags, match.binding, allBindings, out var updateFlags)) { var updateOptions = bindingOptions.WithFlags(updateFlags); if (UpdateBinding(site, match.binding, updateOptions)) { commit++; } } } else { var addOptions = bindingOptions.WithHost(match.binding.Host); // The existance of an HTTP binding with a specific IP overrules // the default IP. if (addOptions.IP == IISClient.DefaultBindingIp && match.binding.IP != IISClient.DefaultBindingIp && !string.IsNullOrEmpty(match.binding.IP)) { addOptions = addOptions.WithIP(match.binding.IP); } var binding = addOptions.Binding; if (!existing.Contains(binding.ToLower()) && AllowAdd(addOptions, allBindings)) { AddBinding(site, addOptions); existing.Add(binding); commit++; } } } if (commit > 0) { return(bestMatch.binding, commit); } } } // At this point we haven't even found a partial match for our hostname // so as the ultimate step we create new https binding if (AllowAdd(bindingOptions, allBindings)) { var newBinding = AddBinding(site, bindingOptions); commit++; return(newBinding, commit); } // We haven't been able to do anything return(null, commit); }
/// <summary> /// Create or update a single binding in a single site /// </summary> /// <param name="site"></param> /// <param name="host"></param> /// <param name="flags"></param> /// <param name="thumbprint"></param> /// <param name="store"></param> /// <param name="port"></param> /// <param name="ipAddress"></param> /// <param name="fuzzy"></param> private string AddOrUpdateBindings(TBinding[] allBindings, TSite site, BindingOptions bindingOptions) { // Get all bindings which could map to the host var matchingBindings = site.Bindings. Select(x => new { binding = x, fit = Fits(x.Host, bindingOptions.Host, bindingOptions.Flags) }). Where(x => x.fit > 0). OrderByDescending(x => x.fit). ToList(); var httpsMatches = matchingBindings.Where(x => x.binding.Protocol == "https"); var httpMatches = matchingBindings.Where(x => x.binding.Protocol == "http"); // Existing https binding for exactly the domain we are looking for, will be // updated to use the new ACME certificate var perfectHttpsMatches = httpsMatches.Where(x => x.fit == 100); if (perfectHttpsMatches.Any()) { foreach (var perfectMatch in perfectHttpsMatches) { // The return value of UpdateFlags doesn't have to be checked here because // we have a perfect match, e.g. there is always a host name and thus // no risk when turning on the SNI flag UpdateExistingBindingFlags(bindingOptions.Flags, perfectMatch.binding, allBindings, out SSLFlags updateFlags); var updateOptions = bindingOptions.WithFlags(updateFlags); UpdateBinding(site, perfectMatch.binding, updateOptions); } return(bindingOptions.Host); } // If we find a http-binding for the domain, a corresponding https binding // is set up to match incoming secure traffic var perfectHttpMatches = httpMatches.Where(x => x.fit == 100); if (perfectHttpMatches.Any()) { if (AllowAdd(bindingOptions, allBindings)) { AddBinding(site, bindingOptions); return(bindingOptions.Host); } } // Allow partial matching. Doesn't work for IIS CCS. if (!bindingOptions.Flags.HasFlag(SSLFlags.CentralSSL)) { httpsMatches = httpsMatches.Except(perfectHttpsMatches); httpMatches = httpMatches.Except(perfectHttpMatches); // There are no perfect matches for the domain, so at this point we start // to look at wildcard and/or default bindings binding. Since they are // order by 'best fit' we look at the first one. if (httpsMatches.Any()) { foreach (var match in httpsMatches) { if (UpdateExistingBindingFlags(bindingOptions.Flags, match.binding, allBindings, out SSLFlags updateFlags)) { var updateOptions = bindingOptions.WithFlags(updateFlags); UpdateBinding(site, match.binding, updateOptions); return(match.binding.Host); } } } // Nothing on https, then start to look at http if (httpMatches.Any()) { var bestMatch = httpMatches.First(); var addOptions = bindingOptions.WithHost(bestMatch.binding.Host); if (AllowAdd(addOptions, allBindings)) { AddBinding(site, addOptions); return(bestMatch.binding.Host); } } } // At this point we haven't even found a partial match for our hostname // so as the ultimate step we create new https binding if (AllowAdd(bindingOptions, allBindings)) { AddBinding(site, bindingOptions); return(bindingOptions.Host); } return(null); }