PfxImport - The certificate cannot be found in the local machine certificate store

[SylvainMartel]

Details of the scenario you tried and the problem that is occurring:
Trying to import a PFX

The DSC configuration that is using the resource (as detailed as possible):

Version of the Operating System and PowerShell the DSC Target Node is running:
Windows 2016 Powershell 5
Version of the DSC module you're using, or 'dev' if you're using current dev branch:
4.1.0.0

Strangely, a part of the code that worked fin a few weeks back is now giving us errors. In the configuration, we are importing a pfx in the host cert store, here is the code

        PfxImport WebCert
    {
        Thumbprint = '7AD2CC032931C9FFE4C630050A58BFBDBBD91CE0'
        Path       = 'd:\temp\testcert.pfx'
        Location   = 'LocalMachine'
        Store      = 'My'
        Credential = $PassCert
    }

and we receive this error upon running it

VERBOSE: [POC01]: LCM:  [ Start  Resource ]  [[PfxImport]WebCert]
The certificate cannot be found in the local machine certificate store.
+ CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName        : localhost

From what I can gather, the ressource does not seem to do Start Test to see if the certificate is there and then fail because it's not there(obviously)

We get the exact same message if we manually install the certificate, so it seems to confirm the Test part is never done?

As I said, it was working fine many weeks ago, and we were using xCertificate 2.8 back then(it was working fine for us, so we didn't update it). To be sure, I updated to CertificateDsc 4.1.0.0 but it's the same result.

[PlagueHO]

Thank you for raising this @kinwolfqc. I suspect this issue might have been caused by this PR #130. It was intended to fix a problem where if the certificate existed but the private key was not available then it would be reinstalled. I'm doing some work on this resource this weekend so I'll see if I can replicate and resolve.

[JamesHoC]

Any news on this "bug" because PfxImport can be a great resource for my DSC projects.

[PlagueHO]

Doh! Looks like I didn't get to this. I'm going to give it another try this weekend.

[ykuijs]

I have exactly this issue with v4.4. It works as expected on one server, but throws the error on another. I tried to use Enable-DscBebug -BreakAll, but the error is thrown before it hits any breakpoint.

Any clue when this can be fixed/investigated?

[ykuijs]

Never mind, the cause of my issue was between the keyboard and the chair, or in other words: Me :-)

@kinwolfqc In my case I did not yet import the DSC decryption certificate to the certificate store of the server. This was causing this error. Maybe this was causing your issue as well.

[PlagueHO]

LOL @ykuijs - I think I still need to get time to resolve it still 😁

[kevinpohlmeier]

I'm getting this error on a completely different resource (cNtfsPermissionEntry). Apparently this message comes from DscCore.dll (see https://windows10dll.nirsoft.net/dsccore_dll.html) and is not something related to the code of CertificateDsc.

I added a logging line as the first line of both a working resource and my problem resource. The working resource logged it fine, and the problem resource never logged it at all. That tells me that it's not even entering the Test-TargetResource method.

I think the issue is more along the lines of what ykuijs said, that it's the DSC decryption certificate. I've tried removing and re-adding that certificate, rebooting the target machine, and removing and re-adding the problem DSC module. The same DSC script works fine against another machine, but I still can't get it to work on this particular machine.

[kevinpohlmeier]

The "MI RESULT 1" led me to https://stackoverflow.com/questions/25877068/how-do-i-resolve-cannot-invoke-the-sendconfigurationapply-method-when-perform, which is not the same error but the idea of "What is the correct way to 'reset' the DSC processes on a target machine?" seemed like it might lead somewhere. None of the suggestions there worked for me, though.

I did manage to pull a bit of extra stack trace for the error, by using a try/catch and viewing $_.Exception.StackTrace, but I still haven't figured out my issue:

at Microsoft.PowerShell.DesiredStateConfiguration.Commands.CimInvokeDscMethod.InvokeCimMethod(DscConfigurationCommandBase cmdlet, ContainerParentJob invokDscContainerParentJob, PSDataCollection1 pSStreamObjects, Lis t1 actualResults)
at Microsoft.PowerShell.DesiredStateConfiguration.Commands.TestDscConfigurationCommand.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()

[kevinpohlmeier]

When I deleted and re-added my DSC decryption certificate, I forgot to modify the CertificateFile and Thumbprint that go into the MOF.

That meant that the Thumbprints did not match. I still got that same error, and that error message makes sense for that scenario.

I don't know what my original issue was, but I think deleting the certificate on both the source (to create the MOF) and target (to read the MOF) and regenerating them was the solution for me.

https://docs.microsoft.com/en-us/powershell/scripting/dsc/pull-server/securemof?view=powershell-7.1#configuration-data