'Invalid issuer or signature.' when deploying via Certificate based Apply-PnPProvisioningTemplate and ASP.NET

[pvranich]

Hi I am moving this issue here as there has been no response in the old repository

I get this error when using app-only certificate oauth 2.0 flow and asp.net 4.8 webservice

'Invalid issuer or signature.' when deploying via Certificate based Apply-PnPProvisioningTemplate

Is there any work being done or any insight to this error?

Thanks in advance
Peter

[jansenbe]

It seems you're not loading the certificate correctly or the certificate itself is invalid? How are you loading and using the certificate?

[athomp15]

I get a similar issue with PnP.PowerShell v0.3.26-nightly connecting to SPO using Connect-PnPOnline with a client cert.

Connect-PnPOnline works fine and I can query site fine. Issue comes when using Get-PnPSiteTemplate - Exception shown blow. It errors when extracting list information

Connect-PnPOnline -ClientId $script:appRegClientId -CertificatePath $script:certPath -Url $script:templateSiteUrl -Tenant $script:tenantId -CertificatePassword (ConvertTo-SecureString -AsPlainText $certPWD)
Get-PnPSiteTemplate -Out $script:templatePath -Handlers Features,CustomActions,ExtensibilityProviders,SiteSettings,PageContents,Pages,Lists,ContentTypes,Fields -ListsToExtract $script:listsToReplicate -Force

Exception

Message : {"error_description":"Invalid issuer or signature."}
Stacktrace : at PnP.Framework.Utilities.WebhookUtility.GetWebhooksSubscriptionsAsync(String webUrl, WebHookResourceType resourceType, String resourceId, String
accessToken, ClientContext context)
at Microsoft.SharePoint.Client.ListExtensions.GetWebhookSubscriptionsAsync(List list, String accessToken)
at PnP.Framework.Provisioning.ObjectHandlers.ObjectListInstance.ExtractWebhooks(List siteList, ListInstance list)
at PnP.Framework.Provisioning.ObjectHandlers.ObjectListInstance.ExtractObjects(Web web, ProvisioningTemplate template,
ProvisioningTemplateCreationInformation creationInfo)
at PnP.Framework.Provisioning.ObjectHandlers.SiteToTemplateConversion.GetRemoteTemplate(Web web, ProvisioningTemplateCreationInformation creationInfo)
at Microsoft.SharePoint.Client.WebExtensions.GetProvisioningTemplate(Web web, ProvisioningTemplateCreationInformation creationInfo)
at PnP.PowerShell.Commands.Provisioning.Site.GetSiteTemplate.ExtractTemplate(XMLPnPSchemaVersion schema, String path, String packageName,
ExtractConfiguration configuration) in D:\a\powershell\powershell\src\Commands\Provisioning\Site\GetSiteTemplate.cs:line 396
at PnP.PowerShell.Commands.Provisioning.Site.GetSiteTemplate.ExecuteCmdlet() in
D:\a\powershell\powershell\src\Commands\Provisioning\Site\GetSiteTemplate.cs:line 148
at PnP.PowerShell.Commands.PnPSharePointCmdlet.ProcessRecord() in D:\a\powershell\powershell\src\Commands\Base\PnPSharePointCmdlet.cs:line 56
ScriptLineNumber : 1

Any thoughts / recommendation on how to set the certificate would be really appreciated.
Cheers
Alex

[jansenbe]

@athomp15 : Can you try to leave lists out of the extract as that will help asses whether the issue is purely related to the web hook extraction

[athomp15]

Hi @jansenbe,

Yep that works fine. Sorry I should have mentioned previously.
Cheers
Alex

[jansenbe]

@athomp15 : I'm trying from code and can't repro this issue...will see if I can repro from PS. I assume you're using a regular SPO environment (so not something in a "special" cloud)

[jansenbe]

@athomp15 : testing from PS shows the issue, we're investigating this now

[athomp15]

@athomp15 : I'm trying from code and can't repro this issue...will see if I can repro from PS. I assume you're using a regular SPO environment (so not something in a "special" cloud)

Yes that's correct - details below.

PSVersion 7.1.0
PSEdition Core
GitCommitId 7.1.0
OS Microsoft Windows 10.0.18363
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

[jansenbe]

@athomp15 : this issue has been fixed (thanks @erwinvanhunen)...if you use the latest versions tomorrow this will work. Root cause was the REST call to load web hooks: this one does not support app-only requests, so it failed. We've now excluded the web hook extraction when we're running using app-only. Please give this a try and let us know.

@pvranich : this issue existed also for applying templates using app-only. You can remove the web hook references from your template or use the new PnP PowerShell nightly version as of tomorrow.

[athomp15]

@athomp15 : this issue has been fixed (thanks @erwinvanhunen)...if you use the latest versions tomorrow this will work. Root cause was the REST call to load web hooks: this one does not support app-only requests, so it failed. We've now excluded the web hook extraction when we're running using app-only. Please give this a try and let us know.

@pvranich : this issue existed also for applying templates using app-only. You can remove the web hook references from your template or use the new PnP PowerShell nightly version as of tomorrow.

@jansenbe - thanks for the speedy response. I will give it a whirl tomorrow. Cheers Alex

[athomp15]

So can confirm that for me, running with 'PnP.PowerShell' = '0.3.28-nightly' resolves the issue. List handler working as expected.

Thanks for the support @jansenbe

[pvranich]

Hi @jansenbe ,

Thanks for that but I am don't have any web hook references in my template. Also, I am using .NET not PowerShell. The only way I can get the template to execute correctly is by commenting out the following code.

<pnp:CustomActions>
    <pnp:WebCustomActions>
        <pnp:CustomAction
            Name="{a8f4182b-26d8-4fcb-bacb-11c00f2fe2e4}"
            Location="ClientSideExtension.ListViewCommandSet"
            Title="DocumentApproval"
            Sequence="65536"
            Rights=""
            RegistrationId="101"
            RegistrationType="List"
            ClientSideComponentId="0aecb083-5083-41af-8734-d7c6f7bba805"
            ClientSideComponentProperties="" />
    </pnp:WebCustomActions>
</pnp:CustomActions>
<pnp:ApplicationLifecycleManagement>
    <pnp:Apps>
        <pnp:App AppId="3a07c1ca-0b27-437f-95c1-771b9f06406e" Action="Install" />
    </pnp:Apps>
</pnp:ApplicationLifecycleManagement>

I am also receiving the same error when this code is included in the template

<pnp:Header Layout="Standard" />

This is when using version 3.27.2011 of the PnP-Sites-Core package.

In response to your original question, I don't think it is the certificate as when I comment out the above lines it works fine and the rest of the template is applied correctly.

The code for getting the certificate is

public static async Task<ProvisioningSettings> GetAuthenticationCertificate(ProvisioningSettings provisioningSettings, ConfigurationRoot appSettingsConfiguration)
{
    AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
    KeyVaultClient keyVault = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
    string vaultUri = Environment.GetEnvironmentVariable("vaultUri");
    CertificateClient certificateClient = new CertificateClient(new Uri(vaultUri), new DefaultAzureCredential());
    var certificate = await certificateClient.GetCertificateAsync("provisioning-service-app-registration-cert");
    
    //TODO: move the "provisioning-service-app-registration-cert" to the app config
    SecretBundle secret = await keyVault.GetSecretAsync(certificate.Value.SecretId.ToString());
    byte[] certificateData = Convert.FromBase64String(secret.Value);
    provisioningSettings.Certificate = new X509Certificate2(
        certificateData,
        string.Empty,
        X509KeyStorageFlags.MachineKeySet |
        X509KeyStorageFlags.PersistKeySet |
        X509KeyStorageFlags.Exportable
    );

    return provisioningSettings;
}

The code for getting the PnPClientConext is

ClientContext clientContext;
AuthenticationManager authenticationManager = new AuthenticationManager();
clientContext = authenticationManager.GetAzureADAppOnlyAuthenticatedContext(
    GetTargetSiteUri.AbsoluteUri,
    ProvisioningAppId,
    TenantId,
    Certificate,
    AzureEnvironment.Production
);
_pnpClientContext = PnPClientContext.ConvertFrom(clientContext);

Thanks in advance
Pete

[jansenbe]

@pvranich : can you retry with only leaving out the ApplicationLifecycleManagement node...I'm not able to reproduce this issue with the latest PnP Framework version.

[pvranich]

@jansenbe That "works" in the sense the code didn't fail but our custom app is not installed. What version is the latest version?

3.28.2012? Will this require an update to .NET 5.0?

Cheers

[jansenbe]

@pvranich :

Since you've left out the app part the app is not installed, this was just to scope down the issue area. If possible please try with latest versions of PnP Framework / PnP Powershell and see if the problem persists. Did this ever work with certificate based auth before?

For PowerShell the latest version is 0.3.32-nightly (see https://www.powershellgallery.com/packages/PnP.PowerShell). We'll be shipping a GA version of the new PnP PowerShell by end of this week. This version uses .NET Standard 2.0 and works with PS5, PS7 and Azure CloudShell.

For PnP Framework the latest version is 0.1.108-preview (see https://www.nuget.org/packages/PnP.Framework/). We'll be shipping a GA version by end of the week. This package ships with .NET Standard 2.0 (which still works on .NET Framework, but also on .NET Core) and a .NET 5.0 version...so you can upgrade to .NET 5, but it's not a requirement.

[jansenbe]

Hi @pvranich : did using a more recent version get you unblocked? Can we close this issue?

[pvranich]

Hi @jansenbe , I haven't had a chance at this stage. I will do this over the weekend and will have an answer for you on Monday morning. Apologies for the delay

Cheers

[jansenbe]

Closing this issue. @pvranich : if you still have this issue with the latest build (we fixed some related problems) then please create a new issue describing what goes wrong and the output of Get-PnPException.