azure-identity | CertificateCredential fails to parse PEM certificate (Error "Failed to deserialize certificate in PEM or PKCS12 format")

[runr02]

• Package Name: azure-identity
• Package Version: 1.19.0
• Operating System:Linux
• Python Version: 3.11.8

Describe the bug
Getting 'Failed to deserialize certificate in PEM or PKCS12 format' error while using 'CertificateCredential' python module in 'azure.identity' python package.

Also tried passing the certificate as bytes. I have some degree of confidence that it's not the certificate causing the issue. I did get this to work by manually uploading the certificate via Kudu, but ideally, I would like to use Key Vault or even directly through the Function App using azure portal.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code?tabs=linux
https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.certificatecredential?view=azure-python#examples

To Reproduce
Steps to reproduce the behavior:

1. Create a python function app.

2. Load pfx certificate to Key Vault.

3. Reference the Key Vault certificate in a function app through azure portal (have not tried to upload directly without Key Vault) and set the variable WEBSITE_LOAD_CERTIFICATES to the certificate thumbprint.

4. Reference the cert path in code in the any basic function app. This fails and does not create the credentials.
   from azure.identity import CertificateCredential

   credential = CertificateCredential(
   tenant_id="<tenant_id>",
   client_id="<client_id>",
   certificate_path="/var/ssl/private/.p12",
   password="",
   )

Expected behavior
The credential should be created and would move on to get the API token. Instead it fails.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
a similar issue on GitHub that was marked as "resolved" back in 2022. However, if you read further in the comments, you will see that others are still facing this issue even after it was marked as resolved. #24643

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[xiangyan99]

Thanks for reaching out.

Can you enable logging and share the trac by adding

import logging
logging.basicConfig(level=logging.DEBUG)

?

[github-actions]

Hi @runr02. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[runr02]

See attached sanitized version

Exception while executing function: Functions.function-name Result: Failure
Exception: ValueError: Failed to deserialize certificate in PEM or PKCS12 format
Stack: File "/azure-functions-host/workers/python/3.11/LINUX/X64/azure_functions_worker/dispatcher.py", line 661, in _handle__invocation_request
call_result = await self._loop.run_in_executor(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/azure-functions-host/workers/python/3.11/LINUX/X64/azure_functions_worker/dispatcher.py", line 990, in _run_sync_func
return ExtensionManager.get_sync_invocation_wrapper(context,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/azure-functions-host/workers/python/3.11/LINUX/X64/azure_functions_worker/extension.py", line 211, in _raw_invocation_wrapper
result = function(**args)
^^^^^^^^^^^^^^^^
File "function_app_path/app.py", line 40, in function-name
response = output()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/resources/demo.py", line 255, in output
response = check()
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/resources/demo.py", line 196, in check
response = json.loads(function_1())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/resources/demo.py", line 118, in function_1
response = sequence.invoke({
^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_1/runnables/base.py", line 3024, in invoke
input = context.run(step.invoke, input, config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_1/path_1/file.py", line 390, in invoke
self.function_2(
File "function_app_path/.python_packages/lib/site-packages/package_1/path_1/file.py", line 755, in function_2
return self.generate(_strings, stop=stop, callbacks=callbacks, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_1/path_1/file.py", line 923, in generate
params = self.dict()
^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_1/path_1/file.py", line 1362, in dict
starter_dict = dict(self._identifying_params)
^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_2.py", line 274, in _identifying_params
"param": self.param(),
^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_2.py", line 91, in param
return self.config.api.param(self.config.id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_3.py", line 296, in param
response = requests.get(url, headers=self.build_headers(), verify=self.verify)
^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_3.py", line 40, in build_headers
auth = "Bearer " + self.get_auth_token()
^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/package_3.py", line 51, in get_auth_token
credential = CertificateCredential(
^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/azure/identity/_credentials/certificate.py", line 67, in init
client_credential = get_client_credential(certificate_path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/azure/identity/_credentials/certificate.py", line 163, in get_client_credential
cert = load_pkcs12_certificate(certificate_data, password)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "function_app_path/.python_packages/lib/site-packages/azure/identity/_credentials/certificate.py", line 110, in load_pkcs12_certificate
raise ValueError("Failed to deserialize certificate in PEM or PKCS12 format") from ex

[xiangyan99]

Thanks for the details.

We use cryptography library to load the certificate.

Can you try the code to see if you can repro the issue?

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import Encoding, NoEncryption, pkcs12, PrivateFormat
private_key, cert, additional_certs = pkcs12.load_key_and_certificates(certificate_data, password, backend=default_backend())

[github-actions]

Hi @runr02. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[github-actions]

Hi @runr02, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!