Creating Intermediate CAs on Cloud Shell may fail

[bb-froggy]

The CMDlet fails, but the CSR seems to be created. It is just not displayed, because of some python error. More details following, when this has a stable reproduction using anonymous data.

[bb-froggy]

Systems where we could reproduce this:

• Windows, az 2.60, PowerShell 7.4.2
• Cloud Shell

Systems where it worked:

• Windows, az 2.57, PowerShell 7.4.2

[bb-froggy]

Error output for a a case with Standard SKU Key Vault and RSA-HSM key, which may or may not be the issue:

PS C:\git\scepman-psmodule\SCEPman> New-IntermediateCA -SCEPmanAppServiceName app-scepman-zpmfw57okyw6w -SearchAllSubscriptions 6>&1 -verbose
VERBOSE: Invoked New-IntermediateCA
SCEPman Module version 1.6.0.0 on PowerShell 7.4.2
Detected az version: 2.60.0
Logging in to az
Logged in to az as cloudadmin@gkagamar.onmicrosoft.com
Getting subscription details
User pre-selected to search all subscriptions
Finding correct subscription for App Service app-scepman-zpmfw57okyw6w among the 2 selected subscriptions
VERBOSE: App Service app-scepman-zpmfw57okyw6w is in subscription 627684de-d5d0-4a61-8fdb-fbcc37f8db7b
Subscription is set to MPN Subscription 2021-06
Setting resource group
Found resource group rg-insight-2
VERBOSE: Configured Key Vault URL is https://aga-sm2-kv.vault.azure.net/
Found Key Vault configuration with URL https://aga-sm2-kv.vault.azure.net/ and certificate name SCEPman-Root-CA-V1.
VERBOSE: Performing the operation "Create CSR with name SCEPman-Root-CA-V1" on target "Key Vault https://aga-sm2-kv.vault.azure.net/".
Creating certificate request in Key Vault
WARNING: ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 877, in send_raw_request
  File "<frozen _collections_abc>", line 954, in update
ValueError: not enough values to unpack (expected 2, got 1)
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
VERBOSE: Retry 1 for rest --method post --uri https://aga-sm2-kv.vault.azure.net/certificates/SCEPman-Root-CA-V1/create?api-version=7.0 --headers 'Content-Type=application/json' --resource https://vault.azure.net --body { \"policy\":{\"key_props\":{\"exportable\":false,\"reuse_key\":false,\"key_size\":4096,\"kty\":\"RSA-HSM\"},\"x509_props\":{\"key_usage\":[\"cRLSign\",\"digitalSignature\",\"keyCertSign\",\"keyEncipherment\"],\"basic_constraints\":{\"ca\":true},\"ekus\":[\"2.5.29.37.0\",\"1.3.6.1.5.5.7.3.2\",\"1.3.6.1.5.5.7.3.1\",\"1.3.6.1.5.5.7.3.9\",\"1.3.6.1.4.1.311.20.2.2\",\"1.3.6.1.5.2.3.5\"],\"subject\":\"CN=SCEPman Intermediate CA,OU=4f0d83e2-2b31-4b16-a211-623a9cd859c4,O=TestOrg\",\"validity_months\":120},\"issuer\":{\"cert_transparency\":false,\"name\":\"Unknown\"},\"secret_props\":{\"contentType\":\"application/x-pkcs12\"},\"lifetime_actions\":[{\"trigger\":{\"lifetime_percentage\":80},\"action\":{\"action_type\":\"EmailContacts\"}}]}} after 1 seconds of sleep because Error Code is 654
WARNING: ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 877, in send_raw_request
  File "<frozen _collections_abc>", line 954, in update
ValueError: not enough values to unpack (expected 2, got 1)
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
VERBOSE: Retry 2 for rest --method post --uri https://aga-sm2-kv.vault.azure.net/certificates/SCEPman-Root-CA-V1/create?api-version=7.0 --headers 'Content-Type=application/json' --resource https://vault.azure.net --body { \"policy\":{\"key_props\":{\"exportable\":false,\"reuse_key\":false,\"key_size\":4096,\"kty\":\"RSA-HSM\"},\"x509_props\":{\"key_usage\":[\"cRLSign\",\"digitalSignature\",\"keyCertSign\",\"keyEncipherment\"],\"basic_constraints\":{\"ca\":true},\"ekus\":[\"2.5.29.37.0\",\"1.3.6.1.5.5.7.3.2\",\"1.3.6.1.5.5.7.3.1\",\"1.3.6.1.5.5.7.3.9\",\"1.3.6.1.4.1.311.20.2.2\",\"1.3.6.1.5.2.3.5\"],\"subject\":\"CN=SCEPman Intermediate CA,OU=4f0d83e2-2b31-4b16-a211-623a9cd859c4,O=TestOrg\",\"validity_months\":120},\"issuer\":{\"cert_transparency\":false,\"name\":\"Unknown\"},\"secret_props\":{\"contentType\":\"application/x-pkcs12\"},\"lifetime_actions\":[{\"trigger\":{\"lifetime_percentage\":80},\"action\":{\"action_type\":\"EmailContacts\"}}]}} after 2 seconds of sleep because Error Code is 654
WARNING: ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 877, in send_raw_request
  File "<frozen _collections_abc>", line 954, in update
ValueError: not enough values to unpack (expected 2, got 1)
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
VERBOSE: Retry 3 for rest --method post --uri https://aga-sm2-kv.vault.azure.net/certificates/SCEPman-Root-CA-V1/create?api-version=7.0 --headers 'Content-Type=application/json' --resource https://vault.azure.net --body { \"policy\":{\"key_props\":{\"exportable\":false,\"reuse_key\":false,\"key_size\":4096,\"kty\":\"RSA-HSM\"},\"x509_props\":{\"key_usage\":[\"cRLSign\",\"digitalSignature\",\"keyCertSign\",\"keyEncipherment\"],\"basic_constraints\":{\"ca\":true},\"ekus\":[\"2.5.29.37.0\",\"1.3.6.1.5.5.7.3.2\",\"1.3.6.1.5.5.7.3.1\",\"1.3.6.1.5.5.7.3.9\",\"1.3.6.1.4.1.311.20.2.2\",\"1.3.6.1.5.2.3.5\"],\"subject\":\"CN=SCEPman Intermediate CA,OU=4f0d83e2-2b31-4b16-a211-623a9cd859c4,O=TestOrg\",\"validity_months\":120},\"issuer\":{\"cert_transparency\":false,\"name\":\"Unknown\"},\"secret_props\":{\"contentType\":\"application/x-pkcs12\"},\"lifetime_actions\":[{\"trigger\":{\"lifetime_percentage\":80},\"action\":{\"action_type\":\"EmailContacts\"}}]}} after 3 seconds of sleep because Error Code is 654
WARNING: ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 877, in send_raw_request
  File "<frozen _collections_abc>", line 954, in update
ValueError: not enough values to unpack (expected 2, got 1)
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
VERBOSE: Retry 4 for rest --method post --uri https://aga-sm2-kv.vault.azure.net/certificates/SCEPman-Root-CA-V1/create?api-version=7.0 --headers 'Content-Type=application/json' --resource https://vault.azure.net --body { \"policy\":{\"key_props\":{\"exportable\":false,\"reuse_key\":false,\"key_size\":4096,\"kty\":\"RSA-HSM\"},\"x509_props\":{\"key_usage\":[\"cRLSign\",\"digitalSignature\",\"keyCertSign\",\"keyEncipherment\"],\"basic_constraints\":{\"ca\":true},\"ekus\":[\"2.5.29.37.0\",\"1.3.6.1.5.5.7.3.2\",\"1.3.6.1.5.5.7.3.1\",\"1.3.6.1.5.5.7.3.9\",\"1.3.6.1.4.1.311.20.2.2\",\"1.3.6.1.5.2.3.5\"],\"subject\":\"CN=SCEPman Intermediate CA,OU=4f0d83e2-2b31-4b16-a211-623a9cd859c4,O=TestOrg\",\"validity_months\":120},\"issuer\":{\"cert_transparency\":false,\"name\":\"Unknown\"},\"secret_props\":{\"contentType\":\"application/x-pkcs12\"},\"lifetime_actions\":[{\"trigger\":{\"lifetime_percentage\":80},\"action\":{\"action_type\":\"EmailContacts\"}}]}} after 4 seconds of sleep because Error Code is 654
WARNING: ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 877, in send_raw_request
  File "<frozen _collections_abc>", line 954, in update
ValueError: not enough values to unpack (expected 2, got 1)
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
VERBOSE: Retry 5 for rest --method post --uri https://aga-sm2-kv.vault.azure.net/certificates/SCEPman-Root-CA-V1/create?api-version=7.0 --headers 'Content-Type=application/json' --resource https://vault.azure.net --body { \"policy\":{\"key_props\":{\"exportable\":false,\"reuse_key\":false,\"key_size\":4096,\"kty\":\"RSA-HSM\"},\"x509_props\":{\"key_usage\":[\"cRLSign\",\"digitalSignature\",\"keyCertSign\",\"keyEncipherment\"],\"basic_constraints\":{\"ca\":true},\"ekus\":[\"2.5.29.37.0\",\"1.3.6.1.5.5.7.3.2\",\"1.3.6.1.5.5.7.3.1\",\"1.3.6.1.5.5.7.3.9\",\"1.3.6.1.4.1.311.20.2.2\",\"1.3.6.1.5.2.3.5\"],\"subject\":\"CN=SCEPman Intermediate CA,OU=4f0d83e2-2b31-4b16-a211-623a9cd859c4,O=TestOrg\",\"validity_months\":120},\"issuer\":{\"cert_transparency\":false,\"name\":\"Unknown\"},\"secret_props\":{\"contentType\":\"application/x-pkcs12\"},\"lifetime_actions\":[{\"trigger\":{\"lifetime_percentage\":80},\"action\":{\"action_type\":\"EmailContacts\"}}]}} after 5 seconds of sleep because Error Code is 654
Write-Error: C:\git\scepman-psmodule\SCEPman\Private\az-commands.ps1:246
Line |
 246 |  … eAzOutput = CheckAzOutput -azOutput $lastAzOutput -fThrowOnError $fal …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ERROR: The command failed with an unexpected error. Here is the traceback: ERROR: not enough values to
     | unpack (expected 2, got 1) Traceback (most recent call last):   File
     | "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
     | File
     | "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py",
     | line 664, in execute   File
     | "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py",
     | line 731, in _run_jobs_serially   File
     | "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py",
     | line 701, in _run_job   File
     | "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py",
     | line 334, in __call__   File
     | "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler   File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call   File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 877, in send_raw_request   File "<frozen _collections_abc>", line 954, in update ValueError: not enough values to unpack (expected 2, got 1) To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
Exception: C:\git\scepman-psmodule\SCEPman\Private\az-commands.ps1:248
Line |
 248 |        throw "Error $azErrorCode when executing $azCommand : $readable …
     |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error 654 when executing rest --method post --uri
     | https://aga-sm2-kv.vault.azure.net/certificates/SCEPman-Root-CA-V1/create?api-version=7.0 --headers
     | 'Content-Type=application/json' --resource https://vault.azure.net --body {
     | \"policy\":{\"key_props\":{\"exportable\":false,\"reuse_key\":false,\"key_size\":4096,\"kty\":\"RSA-HSM\"},\"x509_props\":{\"key_usage\":[\"cRLSign\",\"digitalSignature\",\"keyCertSign\",\"keyEncipherment\"],\"basic_constraints\":{\"ca\":true},\"ekus\":[\"2.5.29.37.0\",\"1.3.6.1.5.5.7.3.2\",\"1.3.6.1.5.5.7.3.1\",\"1.3.6.1.5.5.7.3.9\",\"1.3.6.1.4.1.311.20.2.2\",\"1.3.6.1.5.2.3.5\"],\"subject\":\"CN=SCEPman Intermediate CA,OU=4f0d83e2-2b31-4b16-a211-623a9cd859c4,O=TestOrg\",\"validity_months\":120},\"issuer\":{\"cert_transparency\":false,\"name\":\"Unknown\"},\"secret_props\":{\"contentType\":\"application/x-pkcs12\"},\"lifetime_actions\":[{\"trigger\":{\"lifetime_percentage\":80},\"action\":{\"action_type\":\"EmailContacts\"}}]}} :

[bb-froggy]

Does this error message also appear when there is already a CSR? If that is the case, then we should give a good error message that explains this and how to access the CSR.

[bb-froggy]

There seems to have been an intermediate issue with Azure. There are multiple systems on which we couldn't reproduce the error anymore, although we could two weeks ago. Possibly, the issue is already resolved.