Hosting ASP .Net Core websites in IIS using AspNetCoreModule

This blog post describes how to configure the AspNetCoreModule for hosting ASP .Net Core applications in IIS. The MSDN-documentation did not point me in the direction of a successful configuration on my first attempt, and it was hard to tell from the error logs what exactly was wrong.

Errors encountered for a invalid module configuration

When the AspNetCoreModule configuration is wrong, IIS will respond with a 502.5 error and an entry will be logged to Window’s System Event Log. Since the DotNet Core app fails before starting up, you will not see anything in the app log files.

HTTP Error 502.5 – Process Failure

The browser will return the following error page

Common causes of this issue:

  • The application process failed to start
  • The application process started but then stopped
  • The application process started but failed to listen on the configured port

Troubleshooting steps:

  • Check the system event log for error messages
  • Enable logging the application process’ stdout messages
  • Attach a debugger to the application process and inspect

For more information visit: https://go.microsoft.com/fwlink/?LinkID=808681

 

Event log message

The Windows Event Viewer will show a message similar to this, indicating that the commandline in web.config hasn’t been set correctly:

Application ‘MACHINE/WEBROOT/APPHOST/MYAPP’ with physical root ‘c:\MYAPPROOTPATH\’ failed to start process with commandline ‘bin\IISSupport\VSIISExeLauncher.exe -argFile IISExeLauncherArgs.txt’, ErrorCode = ‘0x80070002 : 0.

Failed request tracing log

Enabling failed request tracing for the web site will show a “Bad Gateway” error:

Web.config example

Assuming that the web server has been configured for hosting ASP .Net Core apps, the next step is to make sure that the aspNetCore module parameters are correct. For the example below, dotnet.exe must be available in the path for the user which runs the application pool. In the aspNetCore configuration element, processPath should be set to “dotnet.exe” and arguments should be set to the web application’s entry assembly name.

Updating multiple site bindings in IIS with new SSL-certificate

This blog post describes how to use a PowerShell script to update multiple IIS site bindings with a new/renewed SSL/TLS sertificate. But first, some background information on why and when this may be useful.

Example scenario for using multiple site bindings

A site binding in IIS may be configured with a host name. IIS will then use the host header in the HTTP request to route a requests to the correct web site. With Server Name Indication (SNI) enabled, multiple sites and host names can share the same port for incoming SSL/TSL requests.

IIS site binding with host name and SNI configured

When hosting web applications on template-based virtual machines, it may be useful to configure multiple bindings for each hosted application. For instance, imagine that you have a web application hosted at https://myportal.mycompany.com and that you add multiple host name bindings to this web site, eg. by appending the numbers 1-10 to “myportal” or by appending tag names like “-qa”, “-preprod”, “-failover”, etc. The web site will then be able to process any requests with a matching host name, given that the DNS records point to the virtual machine.

Multiple hosts names configured for a site

Next, consider that we have multiple virtual machines running the same application, all having the same IIS binding configuration. The machines may have different roles and may be running different versions of the application, or they may be identical clones placed behind a load balancer for scale out.

PowerShell script for updating multiple site bindings with new certificate

The following powershell script updates certificates for all bindings matching the domainNameMatchPattern regex pattern. The script has been designed to be an Octopus Deploy script module and reads the certificate friendly name to use from an Octopus Deploy variable. The certificate must exist in Octopus Deploy’s certificate store.

The script consists of the helper function AssignCertificate and the main function Update-Certificates which will be invoked from a Octopus Deploy project step.

Add the script as a Octopus Deploy script module

The script module can then be invoked from a Octopus Deploy project by using a “Run a script” step:

Invoke the Update-Certificate function located in the previously created script module

The previous step assumes that the new certificate already has been installed on the relevant hosts. Otherwise, the “Import Certificate” Octopus Deploy step template can be used to install certificates to the hosts.