Help with SSL and Composite

Topics: General, Troubleshooting
Oct 11, 2011 at 8:57 PM

I am having trouble after installing composite using my shared ssl.  Before I installed composite, the shared SSL that my site has worked great.  Here is what I am finding:

  • If I browse my website from the ssl url - the browser just spins unless I give the SSL user account modify writes.  But then I can access my website using the SSL url but the browser will just spin when using the non-ssl url.  
  • If I then take the SSL user account permissions back (removing the Modify rights) and reset the application pool - the non-ssl url works and the SSL does not.

The Website is running ASP.net 4.0 after the install of composite.  The SSL website is ASP.NET 2.0 with has the APPLICATION that points back to my websites directory.

I am not sure why I am having trouble...  Any suggestions?

 

IIS has 2 Trees shows:

  • MyWebsite.com
  • AnotherWebsite.com (this is the shared ssl website)
    • Application that points back to MyWebsite.com
Coordinator
Oct 12, 2011 at 1:48 PM

This looks like such a specialized incident that you probably won't find ready advice here on the forum. If all else fails, consider getting commercial support on this one.

Oct 12, 2011 at 5:52 PM
Edited Oct 12, 2011 at 6:01 PM

After doing some trials I discovered some more details that may help.  

I have multiple website running composite that are on different builds using version 2.1.3.  The website with the oldest build works just fine.  I can access the website using either the non secure url or the Web application on another website (shared ssl).  The other website with the same version but later build do not work (with the same settings and permissions).  I then downloaded version 3 and installed fresh..  I get the same effect as the later version 2, the web application does not load. As a side note, I had the web application working just fine with v4 application pool and then when I installed composite the web application stopped working.  I also found a post from Tuesday that document the same error: http://compositec1.codeplex.com/discussions/275503.

 

  • Hosted using IIS7

DISPLAYED ERROR after timeout:

 

Could not ensure a global resource lock within the specified timeout period.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Threading.WaitHandleCannotBeOpenedException: Could not ensure a global resource lock within the specified timeout period.

Source Error: 
Line 8:          ApplicationLevelEventHandlers.LogApplicationLevelErrors = false;
Line 9:          
Line 10:         ApplicationLevelEventHandlers.Application_Start(sender, e);
Line 11:     }
Line 12: 

Source File: d:\wwwroot\Global.asax    Line: 10 

Stack Trace: 
[WaitHandleCannotBeOpenedException: Could not ensure a global resource lock within the specified timeout period.]
   Composite.Core.Application.AppDomainLocker.EnsureLock(TimeSpan timeoutPeriod) +271
   Composite.Core.WebClient.ApplicationLevelEventHandlers.Application_Start(Object sender, EventArgs e) +143
   ASP.global_asax.Application_Start(Object sender, EventArgs e) in d:\HostingSpaces\newarkpeds\newarkpediatrics.com\wwwroot\Global.asax:10

[HttpException (0x80004005): Could not ensure a global resource lock within the specified timeout period.]
   System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +9028953
   System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +131
   System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +194
   System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +339
   System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +253

[HttpException (0x80004005): Could not ensure a global resource lock within the specified timeout period.]
   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +8950644
   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +97
   System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +256

 

Here is the version/builds:

 WORKED ON THE FOLLOWING VERSION / BUILD

  • V 2.1.3
    build: 2.1.4169.29910

 

  DID NOT WORKED ON THE FOLLOWING VERSION / BUILD

  • V 2.1.3
    build: 2.1.4182.27104
  •  V 2.1.3
    build: 2.1.4206.27965
  • V 2.1.3
    build: 2.1.4219.24136
  • V 3
Oct 15, 2011 at 5:00 AM

Could this be a version/build issue?  Both the regular website url and the web application website (shared SSL url) works on my v 2.1.3 build 2.1.4169.29910 composite website and doesn't work on versions/builds after that?  The versions that don't work - If I access the website first with either of the URLs the other url then will not load.  If I clear restart the application pool, I can access either URL again and get the same issue with the other url.  The error is the Global Resource Lock.... 

I am confused as to how this could work on the one version/build and not any of the other build that were released after.  Same web content, IIS7 setup & permissions....  Has anyone else experienced this?  

Oct 21, 2011 at 3:39 AM

Can anyone shed any light on this?  I just can't understand why one version works and another doesn't?  They are set up the same way?  I really need to get this to work for this website with is running v 2.1.3 build 2.1.4182.27104.  Frustrating..... 

 

Thanks in advance.

Coordinator
Oct 21, 2011 at 7:14 AM

Do you have two distinct IIS sites or apps pointing into the same folder?

The exception and your initial post could indicate that, and Composite C1 isn't designed for that setup. Dynamic compilations, temp files, updates to files etc. make such a setup "volatile". The exception you see is the result of a lock we explicitly do server wide, using the directory as key, to ensure multiple processes are not running at the same time.

We only recently updated our system requirements with info about this restriction - sorry about not documenting this earlier.

Oct 21, 2011 at 9:09 AM

Referring to this disucssion http://compositec1.codeplex.com/discussions/275503 it also seems that C1 after a certain build-number got more sensitive to multiple sites pointing to the same installation. Not that its an excuse for keep using old versions to support this scenario, since you should never have several websites/application pointing to the same folder and database. Ever.

Oct 21, 2011 at 10:31 PM

Thanks Mawtex and Burningice for helping clear my confusion.  Is there a way to use a shared SSL with a composite website?

In IIS7, there is a website that has an SSL attached.  My composite website is assigned a Virtual Path  ( "/mycompositewebsite") that points to the physical path of my composite websites root.  This also has an application pool of ASP.NET 4.0.

Thanks again for you help.  I am sure that this information can help many.  Shared SSL are used a lot and provided with may hosted accounts.  

Coordinator
Oct 24, 2011 at 11:56 AM

I'm not an expert on this, but I'd say that you would have to configure a single IIS site to host the shared SSL and the related domains. Only this will get you a situation where one process (iis application) is using the Composite C1 website directory.

Once you have your certificate and host names centered around one IIS site this should work out.

Oct 26, 2011 at 5:43 PM

I am looking to implement a shared ssl as well and this is quite disappointing to find out.  When I was using Dot Net Nuke they had a spot to enter the shared SSL domain name and path to allow.  Is there a way to create a work around like this or create a module to do this?  I have about 10 clients on Composite and finding this out really stinks.  I can't afford to dedicate an IP per client and issue private SSLs.

Oct 27, 2011 at 10:42 AM

what about wildcard SSL + SSL binding as possible option?

Details here:
IIS 7:  http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html 
IIS 6: http://www.digicert.com/ssl-support/configure-iis-host-headers.htm

Oct 27, 2011 at 1:28 PM

i'm still checking shared SSL. Will keep you posted.

Oct 28, 2011 at 12:39 PM
Edited Oct 28, 2011 at 12:42 PM

We have VeriSign Trial SSL Certificate (http://www.verisign.com/ssl/free-30day-trial/index.html?tid=trialLP2but) and created empty website with SSL: https://certdemo.c1.composite.net, than created 3 virtual app, pointed them to 3 C1 websites:
https://certdemo.c1.composite.net/01 (2.1.4.113.99)
https://certdemo.c1.composite.net/02 (3.0.4318.19469)
https://certdemo.c1.composite.net/03 (2.1.4.113.99)

All  works just fine.

Please let me know if you have questions.

 P.S. Sites will be killed ~31.10.2011.

Oct 28, 2011 at 3:07 PM

Hi This is great news.. And what is the non-secure path so I test that they both work simultaneously..  We have been bombing out when the second app pool hits the site.

 

What was the fix?

Oct 28, 2011 at 3:32 PM

as i read aont's comment, these 3 sites are running in each their own app pool! I can't imagine what fix could make you run several app pools against the same site/folder/database. It would definitively require a lot of out-of-proc state management, where most caching today is handled in-memory inside each app pool.

Oct 29, 2011 at 1:00 AM

Thanks burning ice, but I really don't believe it is all that.  How are the other major CMS systems allowing shared SSLs.. All shared SSLs have their own app pool. 

Because we host a bunch of sites on our private server farm, we can afford (nor does our clients want to pay) to dedicate an IP to each client just so they can have a shopping cart or a secure channel for data transmission.

 

aeont,  thanks for the suggestions I would love to see if they do work in both environments.

The wildcard domain ssl might work, but it is an expensive alternative.   I will look into this option more and I appreciate your efforts.

Coordinator
Oct 29, 2011 at 9:12 AM

to @burningice you misunderstod a little bit.

There 4 different sites, running in the same app pool.

"Root" site - not a C1 site and 3 C1 sites mapped to different virtual folders "01", "02", "03"

>> How are the other major CMS systems allowing shared SSLs.

This is purely IIS setup, and has nothing to do with the cms system. (of course cms should work correctly in a virtual folder, but that's the only requirement).|

 

A more difficult setup would be if you have root site also a C1 site, then you would have to edit web.config accordingly, so inherited settings will not break child sites.

Oct 31, 2011 at 6:54 AM
Edited Oct 31, 2011 at 6:58 AM
keyangler wrote:

Hi This is great news.. And what is the non-secure path so I test that they both work simultaneously..  We have been bombing out when the second app pool hits the site.

 

What was the fix?


http://certdemo01.c1.composite.net/
http://certdemo02.c1.composite.net/
http://certdemo03.c1.composite.net/

As @napernik says - it's same app pool for all 4 websites - 1 is root webite (empty) with 3 virtual folders. Other 3 just usual C1 sites. 

I'll extend this site lives for few days.. @mawtex pointed me to one thing, I have to re-read whole thread and make some extra testing if required.

 

Oct 31, 2011 at 1:54 PM

Ok, so how did you setup your IIS?  

 

For me I have a website for the SSL.  This website has applications which point to other websites for the shared ssl.

 

Thanks again for your help.

Oct 31, 2011 at 3:08 PM
keyangler wrote:

Ok, so how did you setup your IIS?  

For me I have a website for the SSL.  This website has applications which point to other websites for the shared ssl.

Thanks again for your help.


exactly same setup here.

Nov 3, 2011 at 12:47 PM

ok, so how come when I run this one of the channels lockes up?

 

Exact setup senario for me:

IIS7.5

Setup a website called ssl.mydomain.com

Setup a website called myclient.com and installed C1 in the root

Set the appPools for both to be the default DOTNET 4 intergrated

Setup an application on ssl.mydomain.com/myclient for the shared ssl channel

Access the website from non-secure - it works fine...

Access the website from secure it works fine...

Go back to non-secure and it times out and the app pool is locked up...

 

What an I doing wrong? Do I need to modify my webconfig?

 

 

 

 

Nov 3, 2011 at 12:59 PM

what about your folder structure... can you tell a bit more systematically which folders each site points to?

Nov 3, 2011 at 1:38 PM

ssl.mydomain.com  = e:\hosting\mydomain\ssl.mydomain.com\wwwroot\

myclient.com =  e:\hosting\myclient\myclient.com\wwwroot\

ssl.mydomain.com\myclient  = e:\hosting\myclient\myclient.com\wwwroot\

 

 

Coordinator
Nov 4, 2011 at 2:11 PM
Edited Nov 4, 2011 at 2:15 PM
Hi @keyangler

I tested it again and it seems that the setup we suggested to you, doesn't work:

C1 2.1.1: Works - but itsn't stable as C1 not designed to run under 2 AppDomains for the same folder
http://certdemo01.c1.composite.net/
https://certdemo.c1.composite.net/01


C1 3.0.0: Doesn't work - as the limitation is now enforced.
http://certdemo02.c1.composite.net/
https://certdemo.c1.composite.net/02

That's the bad news, the good news are that's it is still possible to do (shared SSL + own hostname for a site).

You can do the following:

1) ssl.mydomain.com  = e:\hosting\mydomain\ssl.mydomain.com\wwwroot\
2) ssl.mydomain.com\myclient  = e:\hosting\myclient\myclient.com\wwwroot\
3) myclient.com -> here you should create a reverse proxy that will channel requests from http://myclient.com/* to http://ssl.mydomain.com/myclient/*


You can either rewrite an existing reverse proxies to meet your needs, like f.e. that one
http://www.codeproject.com/KB/IP/reverseproxy.aspx (may be you can find something better)

Or you can try to configure IIS7 to do the job:
http://learn.iis.net/page.aspx/659/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/
Nov 4, 2011 at 2:34 PM

Thank Napernik,

Is there a way to build a function or module that can be added to allow the 2 appdomains?  I am willing to pay for development.  We have large client who would not want our domain name :)  and I do not want to buy an ip per client.  

 

Can I use a wildcard ssl and bind a subdomain to each website?  Meaning myclient.com and have myclient.ssldomain.com both bind to the same website...

 

What do you think?

 

Is it just the way composite is built?  How is DNN allowing a shared ssl through asp.net?

Coordinator
Nov 7, 2011 at 8:40 AM

>> Is there a way to build a function or module that can be added to allow the 2 appdomains?  I am willing to pay for development.  We have large client who would not want our domain name :)  and I do not want to buy an ip per client. 

If you really want to try running 2 application domains, try the following.

1) Get the sources of the necessary version, find AppDomainLocker class, and "clear" it's public methods/properties, so the result would look like:

using System;
using System.Threading;
using Composite.Core.Logging;
using Composite.Core.Types;


namespace Composite.Core.Application
{
    public static class AppDomainLocker
    {
        public static void ReleaseAnyLock()
        {
        }

        public static bool HasValidLock
        {
            get
            {
		return false;
            }
        }

        public static void EnsureLock(TimeSpan timeoutPeriod)
        {
        }

        private static bool TryLock(TimeSpan maxWaitTime)
        {
		return true;
        }


        static void CurrentDomain_DomainUnload(object sender, EventArgs e)
        {          
        }
    }
}

Put the twicked Composite.dll version to /Bin folder

2) Use C1 console only from one of the sites. If you use it from 2, then it may cause data corruption.

3) On global.asax_Application_End event there's some finalization logic that should be called only in one application domain, the one in which you use the C1 console.

Edit global.asax and add some lines that would prevent call to ApplicationLevelEventHandlers.Application_End(sender, e);  for AppDomain that is not used for console

 void Application_End(object sender, EventArgs e)   

 {       
	/* if virtual path is '/', skipping Application_End */

         if(System.Web.Hosting.HostingEnvironment.ApplicationVirtualPath.Length < 2)

	{
	    return;
	}

         ApplicationLevelEventHandlers.Application_End(sender, e);   
}

4) The changes above should give some basic console stability. The only issue left is caching, for the moment the changes done in console may not appear right away on the site which is running in another AppDomain.

 

I still thing that writing a proxy would be a more stable solution.

 

>> Can I use a wildcard ssl and bind a subdomain to each website?  Meaning myclient.com and have myclient.ssldomain.com both bind to the same website...

Yes, but still each application would have to have own virtual folder, f.e.

myclient.ssldomain.com/mycliend/

myclient2.ssldomain.com/mycliend2/

 

>> Is it just the way composite is built?  How is DNN allowing a shared ssl through asp.net?

It is not the "shared SSL" that is the limitation, the limitation is to have 2 processes (or 2 AppDomains) running the same site at the same time.

Either in DNN they completely don't use caching (which I doubt), or you just haven't experienced the issues there are. But that doesn't mean that they aren't there, exactly as in the case you haven't noticed them by running  C1 2.1.1 on 2 AppDomains