Error enabling extensions: failed to parse protected settings

[barborico]

I am trying to deploy a custom script extension for Linux per these instructions: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux. My template snippet is:

        {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "apiVersion": "2019-03-01",
            "name": "[concat(variables('vmName'), '/InstallCustomScript')]",
            "location": "[resourceGroup().location]",
            "tags": "[variables('resourceTags')]",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
            ],
            "properties": {
                "publisher": "Microsoft.Azure.Extensions",
                "type": "CustomScript",
                "typeHandlerVersion": "2.1",
                "autoUpgradeMinorVersion": true,
                "settings": {
                    "skipDos2Unix": false, // translate script DOS to UNIX (line endings)
                    "timestamp": 0 // trigger a re-run of the script by changing value of this field
                },
                "protectedSettings": {
                    "script": "[parameters('customScript')]"
                }
            }
        }

However, the deployment fails with the following VMExtensionProvisioningError:

DEBUG: AzureQoSEvent: CommandName - New-AzResourceGroupDeployment; IsSuccess - False; Duration - 00:07:18.5872191; Exception - 12:17:41 AM - The deployment 'exfiltrator-ext.armdeploy' failed with error(s). Showing 1 out of 1 error(s).
Status Message: VM has reported a failure when processing extension 'InstallCustomScript'. Error message: "Enable failed: failed to get configuration: error reading extension configuration: failed to parse protected settings: decrypting protected settings failed: error=exit status 2 stderr=Can't open /var/lib/waagent/9AD1B864C4D0DEF3DC34A63E9362A1AF34577813.crt for reading, No such file or directory
140380671340992:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/var/lib/waagent/9AD1B864C4D0DEF3DC34A63E9362A1AF34577813.crt','r')
140380671340992:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
"

More information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot  (Code:VMExtensionProvisioningError)

CorrelationId: 183aa1fa-159c-41c7-84f5-7d5c82821781;

The deployment works if I make script an unprotected setting.

I'm also seeing the same error with the Microsoft.CPlat.Core.RunCommandLinux extension:

ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'RunCommandLinux'. Error message: "Enable failed: failed to                                                                                                                        
get configuration: error reading extension configuration: failed to parse protected settings: decrypting protected settings    
failed: error=exit status 2 stderr=Can't open /var/lib/waagent/B7F12AF1DAB560A2BD8F5328B9A7F5F5BF7E94C7.crt for reading, No such file or directory
140058413711808:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/var/lib/waagent/B7F12AF1DAB560A2BD8F5328B9A7F5F5BF7E94C7.crt','r')
140058413711808:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
"

More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot
ErrorTarget:
StartTime: 3/30/2021 10:29:57 PM
EndTime: 3/30/2021 10:30:20 PM
OperationID: 9a17fdcc-ed12-45fd-88c2-52129bc1ee8f
Status: Failed

Why would this protected setting encryption cert be missing?

[qinxgit]

I have exact same problem. Why isn't there a response?