SSL Certificate Settings created by an admin process for endpoint

cblaze22 · March 5, 2022, 12:37pm

I received a configuration change notification to all my IIS sites last night which caused a high CPU on the server. This happened at around 12:39 AM on the 5th of March.

In event viewer I see the below warnings for all my sites at the same time. I maybe off the mark but was this done by CertifyTheWeb? I looked at my current SSL cert on a site and it was renewed at 11:39 PM on March 4th, a hour earlier.

Not sure if there is a delay or timezone issue there but are these releated?

SSL Certificate Settings created by an admin process for endpoint : de.example.com:443 .

webprofusion · March 7, 2022, 2:01am

When certificates renew it does update the website binding related to that certificate (at least the associated thumbprint/hash) and this also causes applicationhost.config to be touched (if if the file doesn’t actually change). You would only see an update to all websites if all of your certificates renewed.

How many sites (or domain bindings) are you running and did you setup the certificates manually or using an import?

cblaze22 · March 7, 2022, 2:22am

This is a wildcard certificate so 11 sites get updated at once so all this makes sense. The CertifyTheWeb application updates stuff automatically.

webprofusion · March 7, 2022, 3:16am

Yes so unfortunately this is a feature of the official IIS Administration library we use, it touches applicationhost.config (with no change) which in turn causes your website to restart (if this is .net it will re-enter the Application_Start), which in turn will usually mean your web application will do some work to startup. The trick is to minimise the amount of work your application does on startup.

jljtgr · March 7, 2022, 6:29am

Hmm, I’ve never had to debug this sort of situation, but I do remember this setting on Application Pools:

This might be the same mechanism, but it might not be.

cblaze22 · March 7, 2022, 1:29pm

We have had config changes disabled for months now. I think the SSL updates does more than just a config change to make this happen.

webprofusion · March 7, 2022, 11:58pm

Yeah I’ve investigated this before, from memory I don’t even think it gets logged - I found it by attaching to w3wp.exe with a debugger and setting a breakpoint in the application start. It’s not specific to Certify - you can preproduce it by manually changing an https binding in IIS manager.

cblaze22 · March 8, 2022, 1:41am

You don’t think changing out the whole cert for a binding by Certify causes an application start, regardlress if config changes are disabled for recycling?

webprofusion · March 8, 2022, 2:49am

Yes, I do think that an https binding change for your site (whether performed by Certify or manually using IIS Manage) will cause this.

I’ve not tested it recently, and this was testing for specifically for ASP.net on .Net 4.6.1, not .net core - I’ve no idea if that’s affected in the same way.

webprofusion · March 8, 2022, 2:51am

I should add, it’s not the same as an app pool recycle, it’s specifically an app restart (within the pool) and from memory I don’t think it’s logged by IIS (or it wasn’t easy to find).