SPFX Error - [trust-cert] CertUtil Error

[WymerDev]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [X] 💥 Microsoft Edge
• [ ] 💥 Google Chrome
• [ ] 💥 FireFox
• [ ] 💥 Safari
• [ ] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [ ] not applicable
• [ ] other (enter in the "Additional environment details" area below)

Additional environment details

• browser version - Version 116.0.1938.69 (Official build) (64-bit)
• SPFx version - 1.17.4
• gulp-cli@2.3.0
• touch-cli@0.0.1
• yo@4.3.1
• Node.js version - v16.13.0 OS - Win 11 Pro

Describe the bug / error

I have been getting this error after trying to execute gulp trust-dev-cert on a new web part project and haven't been able to fix it, please kindly help. I followed the set up process here https://learn.microsoft.com/en-us/sharepoint/dev/spfx/set-up-your-development-environment and also tried in my other PC but still throws the same error. I am executing this statement from the webpart solution folder. It does give me the Certificate installation prompt for localhost and after the error is thrown, it creates rushstack-serve.key, rushstack-serve.pem files in .rushstack folder. Here is the error:

Thank you.

Steps to reproduce

1. Install node v16.13.0
2. install gulp cli, yoeman and sharepoint generator
3. Create webpart with the generator scaffolding
4. Run gulp trust-dev-cert

Expected behavior

certificate successfully installed and running gulp serve would bring up the workspace

[nick-pape]

Hi @WymerDev , I just tried to repro this locally but didn't see the issue.

Are you seeing an issue when you actually do a gulp serve and test on a SharePoint page (e.g. workbench)? You would basically see an error around non-https resources being attempted to be loaded.

Can you try running gulp untrust-dev-cert and then retry gulp trust-dev-cert?

Last, the prompt should elevate, but it may be worth trying to run command prompt with Run As Administrator before running the gulp trust-dev-cert command.

[WymerDev]

Hi @nick-pape I get this before doing gulp serve and when I execute this command it just throws this error "The existing development certificate is not currently trusted by your system. Untrust the certificate and generate a new one, or set the canGenerateNewCertificate parameter to true when calling ensureCertificateAsync." I have tried gulp untrust-dev-cert and then retry gulp trust-dev-cert but I keep getting the same CertUtil Error with Task errors:1. And yes I am using Windows PowerShell with elevated perms (Admin) .

Thank you for looking into it.

[nick-pape]

Looking into the error further... The code for this task is public here. It uses the CertificateManager from rushstack here.

The error looks like is written here when setting the friendly name.

I see several issues with this code:

1. The code is writing the (empty) stderr from certutil.exe to stderr, which overall makes SPFx build tools believe this task has failed, despite this step appearing to be "optional".
2. We aren't writing certutil.exe's stdout anywhere, which makes this issue hard to debug.
3. The code that is calling _trySetFriendlyNameAsync is lacking an await (here)[https://github.com/microsoft/rushstack/blame/main/libraries/debug-certificate-manager/src/CertificateManager.ts#L746]. So the warning specific to this step isn't appearing.

---

1st - learn why setting friendly name is failing

Can you try opening the node_modules/@rushstack/debug-certificate-manager/lib/CertificateManager.js locally and adding the following line:

Then run gulp trust-dev-cert --verbose and post the output.

This should give us an idea why setting friendly name is failing. If we can resolve that issue first you will be unblocked sooner than waiting for a code change.

---

2nd - update the following 2 lines and see if you are able to serve via https

After doing step 1 above.

Change both lines to be a warning instead of an error:

Add an await where this is called:

Run gulp trust-dev-cert --verbose twice. The first time you should see the warning. The second time you should see something like:

Then run gulp serve and test out the webpart on the workbench and post any errors you get (would be relating to https).

[WymerDev]

Hi @nick-pape. Thank you for the steps. I updated the js file as advised and followed the steps to get these output below:

1st (adding stdout line):

[11:48:48] Starting 'trust-dev-cert'... [11:48:48] Starting gulp [11:48:48] Starting subtask 'trust-cert'... [11:48:48] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog. [11:48:50] [trust-cert] Successfully trusted development certificate. [11:48:50] Finished subtask 'trust-cert' after 2.47 s [11:48:50] Finished 'trust-dev-cert' after 2.47 s [11:48:50] Error - [trust-cert] CertUtil Error: [11:48:50] Error - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

[11:48:51] ==================[ Finished ]================== Error - [trust-cert] CertUtil Error: Error - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found. [11:48:51] Suppressing - Warning - [sass] The local CSS class 'ms-Grid' is not camelCase and will not be type-safe. [11:48:51] Project hw-web-part-1 version:0.0.1 [11:48:51] Build tools version:3.17.20 [11:48:51] Node version:v16.13.0 [11:48:51] Total duration:5.56 s [11:48:51] Task errors:2

2nd: 1 - Update to warning, adding await, 1st run

[12:27:00] Starting 'trust-dev-cert'... [12:27:00] Starting gulp [12:27:00] Starting subtask 'trust-cert'... [12:27:00] [trust-cert] The development certificate was not found in the store. CertUtil error: [12:27:00] Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. [12:27:01] [trust-cert] Successfully untrusted development certificate. [12:27:01] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog. [12:27:03] [trust-cert] Successfully trusted development certificate. [12:27:03] Warning - [trust-cert] CertUtil Error: [12:27:03] Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

[12:27:03] Warning - [trust-cert] Unable to set the certificate's friendly name. [12:27:03] Finished subtask 'trust-cert' after 2.55 s [12:27:03] Finished 'trust-dev-cert' after 2.55 s [12:27:03] ==================[ Finished ]================== Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. Warning - [trust-cert] CertUtil Error: Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

Warning - [trust-cert] Unable to set the certificate's friendly name. [12:27:04] Suppressing - Warning - [sass] The local CSS class 'ms-Grid' is not camelCase and will not be type-safe. [12:27:04] Project hw-web-part-1 version:0.0.1 [12:27:04] Build tools version:3.17.20 [12:27:04] Node version:v16.13.0 [12:27:04] Total duration:5.68 s [12:27:04] Task warnings:4

2nd: 2 - Update to warning, adding await, 2nd run

[12:29:41] Starting 'trust-dev-cert'... [12:29:41] Starting gulp [12:29:41] Starting subtask 'trust-cert'... [12:29:41] [trust-cert] The development certificate was not found in the store. CertUtil error: [12:29:41] Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. [12:29:41] [trust-cert] Successfully untrusted development certificate. [12:29:41] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog. [12:29:43] [trust-cert] Successfully trusted development certificate. [12:29:43] Warning - [trust-cert] CertUtil Error: [12:29:43] Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

[12:29:43] Warning - [trust-cert] Unable to set the certificate's friendly name. [12:29:43] Finished subtask 'trust-cert' after 2.54 s [12:29:43] Finished 'trust-dev-cert' after 2.54 s [12:29:44] ==================[ Finished ]================== Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. Warning - [trust-cert] CertUtil Error: Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

Warning - [trust-cert] Unable to set the certificate's friendly name. [12:29:44] Suppressing - Warning - [sass] The local CSS class 'ms-Grid' is not camelCase and will not be type-safe. [12:29:44] Project hw-web-part-1 version:0.0.1 [12:29:44] Build tools version:3.17.20 [12:29:44] Node version:v16.13.0 [12:29:44] Total duration:5.7 s [12:29:44] Task warnings:4

I didn't get the one like in your screenshot and didn't notice any change between the 1st and the 2nd runs.

3rd - running gulp serve

Build target: DEBUG [12:38:16] Using gulpfile C:\SPFX\HWWebPart1\gulpfile.js [12:38:16] Starting 'serve'... [12:38:16] Starting gulp [12:38:16] Starting subtask 'spfx-serve'... [12:38:16] [spfx-serve] To load your scripts, use this query string: ?debug=true&noredir=true&debugManifestsFile=https://localhost:4321/temp/manifests.js [12:38:17] Error - 'spfx-serve' sub task errored after 343 ms The existing development certificate is not currently trusted by your system. Untrust the certificate and generate a new one, or set the canGenerateNewCertificate parameter to true when calling ensureCertificateAsync. [12:38:17] 'serve' errored after 349 ms [12:38:17] About to exit with code: 1 Process terminated before summary could be written, possible error in async code not continuing! Trying to exit with exit code 1

My local CertificateManager.js updated snippet:

Hope the verbose error messages can help. Thank you.

[nick-pape]

Interesting, so the deeper cause here is that the certificate that is trying to be updated with a friendly name isn't being found. That means there must be a hidden error occurring when trying to install the certificate.

[WymerDev]

@nick-pape Checking to see if this issue is indeed a bug and is awaiting resolution? Meanwhile are there any another/older working versions so I can work on SPFX development? Thank you.

[AkshayKishorChauhan]

@WymerDev Please try adding "C:\Windows\System32" in your environment variables and then should work.

[WymerDev]

@AkshayKishorChauhan I see that it's already there in the Env. variables, under system.. Thank you.

[poojakadam19]

I tried this but still get this error : please help me [01:08:08] Error - 'spfx-serve' sub task errored after 220 ms No development certificate found. Generate a new certificate manually, or set the canGenerateNewCertificate parameter to true when calling ensureCertificateAsync. [01:08:08] 'serve' errored after 226 ms

[nick-pape]

@iclanton @AkshayKishorChauhan were you able to make any further progress on this? Definitely seems like a tooling issue.

[Haiqi-Wu]

@nick-pape What is the version of @rushstack/debug-certificate-manager you are using in your solution? Can we use an older version to avoid this issue? Waiting is always agonizing.

[tayram]

Was there ever a resolution to this? I am running into this error in 2024.

2 noteworthy things have changed, for me personally...

1. Our company is now using ThreatLocker on all machines
2. I recently got a new laptop, and had to reinstall the dev toolchain, within ThreatLocker.

ThreatLocker has made it a pain the butt to get to the point I am now... but after resolving an array of issues, I think this is the only hurdle I have left.