pnp
Bug report: Error adding spo site
Description
Trying to script out creation of sites in SPO, get an error when running a test command from the documentation.
Steps to reproduce
Run the below command (taken directly from the documentation here):
m365 spo site add --alias team1 --title "Team 1"
Expected results
Site is created in my tenant.
Actual results
Recieve Error: Error: unable to get local issuer certificate
Diagnostics
Executing command spo site add with options {"options":{"alias":"team1","title":"Team 1","debug":true}}
No SPO URL available. Retrieving from MS Graph...
Existing access token {authtoken} still valid. Returning...
Request:
{
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/5.1.0",
"accept-encoding": "gzip, deflate",
"accept": "application/json;odata.metadata=none",
"authorization": "Bearer {authtoken}"
},
"decompress": true,
"responseType": "json",
"url": "https://graph.microsoft.com/v1.0/sites/root?$select=webUrl",
"method": "get"
}
Request error: Error: Cannot convert undefined or null to object
### CLI for Microsoft 365 version
v5.1.0
### nodejs version
v16.14.2
### Operating system (environment)
Windows
### Shell
PowerShell
### cli doctor
```json
{
"os": {
"platform": "win32",
"version": "Windows 10 Enterprise",
"release": "10.0.19042"
},
"cliVersion": "5.1.0",
"nodeVersion": "v16.14.2",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email"
]
}
Additional Info
I suspect this is related:
Running: m365 site get
Response:
{
"SpoUrl": ""
}
I expected this to return the tenant url. Running this graph call returns my tenant url as expected.
GET https://graph.microsoft.com/v1.0/sites/root?$select=webUrl
@jacobsian-del sorry you are having trouble with the tool. Thanks for reporting this. You rock 🤩 Will investigate it asap 👍
@jacobsian-del could you please do this additional check: using https://developer.microsoft.com/en-us/graph/graph-explorer (and being logged in) please execute 'https://graph.microsoft.com/v1.0/sites/root?$select=webUrl' and check if you get your tenant root webUrl 🤔
yep comes back as expected:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites(webUrl)/$entity",
"webUrl": "https://jacobsian.sharepoint.com"
}
I checked the functionality in the latest CLI version and seems to be working ok. Seems like the problem might be connected to some local settings 🤔. If the request using graph explorer works fine (and basically CLI uses the same) lets also ensure we are using the same account for the check. May I ask you to restart from scratch and do the following steps:
- logout from m365 with
m365 logoutcommand - go to AAD to Enterprise applications section and remove the 'PnP Management Shell` app
- login to m365 with
m365 logincommand and be sure to approve all needed permissions - recheck 🙂
@Adam-it we have a m365 reconsent command that allows you to make sure all permissions are in place (https://pnp.github.io/cli-microsoft365/cmd/cli/cli-reconsent/) might be a quicker way.
@appieschot that is sooo cool 🤩 @jacobsian-del may I kindly ask you to check this 👍
@jacobsian-del are you working behind a corporate proxy?
I have seen this issue before when using Azure CLI, which is caused by the proxy intercepting the CLI's HTTPS traffic, decrypting and re-encrypting it with its own certificate.
We do have an open issue related to Axios, which we use to execute requests from the CLI, not supporting custom certificate CAs, I think these maybe related 👉 https://github.com/pnp/cli-microsoft365/issues/2155
Sorry I've been on vacation.
Testing the command after running m365 cli reconsent resulted in the same message as originally reported.
@jacobsian-del are you working behind a corporate proxy?
@garrytrinder While I'm not currently on the VPN, It's very possible something running is intercepting traffic, but I would have expected all commands making graph requests to fail no? This is first command I've run into this with.
@jacobsian-del the error you mention Error: unable to get local issuer certificate is different from the error you mention further down Error: Cannot convert undefined or null to object. Could you please run the command with the --debug option and share with us the full output (excluding the access token of course)? Thank you, and we appreciate your help to understand what's going on.
The error Error: unable to get local issuer certificate is what i get when I run the command without the --debug option. When I run with the --debug option I get the Error: Cannot convert undefined or null to object message.
Running:
m365 spo site add --alias team1 --title "Team 1"
Result:
Error: unable to get local issuer certificate
Running:
m365 spo site add --alias team1 --title "Team 1" --debug
Result:
Executing command spo site add with options {"options":{"alias":"team1","title":"Team 1","debug":true}}
No SPO URL available. Retrieving from MS Graph...
Existing access token {BearerToken} still valid. Returning...
Request:
{
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/5.1.0",
"accept-encoding": "gzip, deflate",
"accept": "application/json;odata.metadata=none",
"authorization": "{BearerToken}"
},
"decompress": true,
"responseType": "json",
"url": "https://graph.microsoft.com/v1.0/sites/root?$select=webUrl",
"method": "get"
}
Request error:
Error: Cannot convert undefined or null to object
How are you signing in to Microsoft 365 in the CLI @jacobsian-del? Are you executing just m365 login or do you include any specific arguments?
@jacobsian-del Are you running PowerShell from VS Code, ISE or the plain default terminal?
I'm trying to capture the requests being made in fiddler but having some trouble setting up the proxies correctly. Any guidance you can provide?
CLI for M365 is built on Node.js so this guide should help you: https://docs.telerik.com/fiddler-everywhere/knowledge-base/how-to-capture-nodejs-traffic?_ga=2.37214373.405898960.1655298175-245386227.1618502143
so I don't know how, but it worked once in bash instead of powershell.
Running: m365 spo site add --alias team1 --title "Team 1" --debug
Resulted in this:
Executing command spo site add with options {"options":{"alias":"team1","title":"Team 1","debug":true}}
SPO URL previously retrieved https://jacobsian.sharepoint.com. Returning...
Creating new site...
Existing access token {token} still valid. Returning...
Request:
{
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/5.1.0",
"accept-encoding": "gzip, deflate",
"content-type": "application/json; odata=verbose; charset=utf-8",
"accept": "application/json;odata=nometadata",
"authorization": "Bearer {token}"
},
"decompress": true,
"responseType": "json",
"url": "https://jacobsian.sharepoint.com/_api/GroupSiteManager/CreateGroupEx",
"data": {
"displayName": "Team 1",
"alias": "team1",
"optionalParams": {
"Description": "",
"CreationOptions": {
"results": [],
"Classification": ""
}
}
},
"method": "post"
}
Response:
{
"url": "https://jacobsian.sharepoint.com/_api/GroupSiteManager/CreateGroupEx",
"status": 200,
"statusText": "OK",
"headers": {
"cache-control": "private, max-age=0",
"transfer-encoding": "chunked",
"content-type": "application/json;odata=nometadata;streaming=true;charset=utf-8",
"expires": "Tue, 31 May 2022 17:21:17 GMT",
"last-modified": "Wed, 15 Jun 2022 17:21:17 GMT",
"vary": "Origin,Accept-Encoding",
"p3p": "CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"",
"x-sharepointhealthscore": "2",
"x-sp-serverstate": "ReadOnly=0",
"dataserviceversion": "3.0",
"spclientservicerequestduration": "4135",
"x-aspnet-version": "4.0.30319",
"x-databoundary": "None",
"x-1dscollectorurl": "https://mobile.events.data.microsoft.com/OneCollector/1.0/",
"x-ariacollectorurl": "https://browser.pipe.aria.microsoft.com/Collector/3.0/",
"sprequestguid": "f1a847a0-4050-1000-d5de-2b1eec716f58",
"request-id": "f1a847a0-4050-1000-d5de-2b1eec716f58",
"ms-cv": "oEeo8VBAABDV3ise7HFvWA.0",
"strict-transport-security": "max-age=31536000",
"x-frame-options": "SAMEORIGIN",
"content-security-policy": "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com;",
"x-powered-by": "ASP.NET",
"microsoftsharepointteamservices": "16.0.0.22525",
"x-content-type-options": "nosniff",
"x-ms-invokeapp": "1; RequireReadOnly",
"x-cache": "CONFIG_NOCACHE",
"x-msedge-ref": "Ref A: EB72CA0690374503AE299C256BDDE868 Ref B: MIA301000104019 Ref C: 2022-06-15T17:21:17Z",
"date": "Wed, 15 Jun 2022 17:21:21 GMT",
"connection": "close"
},
"data": {
"DocumentsUrl": null,
"ErrorMessage": null,
"GroupId": "2fca32fe-5bc2-49f6-b8e3-1832a355c597",
"SiteStatus": 2,
"SiteUrl": "https://jacobsian.sharepoint.com/sites/team1"
}
}
"https://jacobsian.sharepoint.com/sites/team1"
DONE
However, next run:
Running: m365 spo site add --alias team2 --title "Team 2" --debug
Returns:
Executing command spo site add with options {"options":{"alias":"team2","title":"Team 2","debug":true}}
SPO URL previously retrieved https://jacobsian.sharepoint.com. Returning...
Creating new site...
Existing access token {token} still valid. Returning...
Request:
{
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/5.1.0",
"accept-encoding": "gzip, deflate",
"content-type": "application/json; odata=verbose; charset=utf-8",
"accept": "application/json;odata=nometadata",
"authorization": "Bearer {token}"
},
"decompress": true,
"responseType": "json",
"url": "https://jacobsian.sharepoint.com/_api/GroupSiteManager/CreateGroupEx",
"data": {
"displayName": "Team 2",
"alias": "team2",
"optionalParams": {
"Description": "",
"CreationOptions": {
"results": [],
"Classification": ""
}
}
},
"method": "post"
}
Request error:
Error: Cannot convert undefined or null to object
Does this new trace provide better information?
Thank you for the additional information @jacobsian-del and I really appreciate your help. It's odd that one request is working as expected, while another, which is almost identical, fails. It almost seems like something intermittent in M365. Is the tenant that you're running this command against an old dev tenant, instant sandbox or a regular tenant? Also, does it have targeted release enabled? I hope you don't mind all these questions as we're trying to understand what could be wrong exactly.
Is the tenant that you're running this command against an old dev tenant, instant sandbox or a regular tenant?
It's (what I assume is) a regular tenant created on my M365 developer subscription.
Also, does it have targeted release enabled?
Not to my knowledge, kept it to the default options on creation. Where would I go to check?
I hope you don't mind all these questions as we're trying to understand what could be wrong exactly.
Not at all, thanks for putting up with me for something I strongly suspect is going to end up being a personal problem :-)
Not at all, thanks for putting up with me for something I strongly suspect is going to end up being a personal problem :-)
It might just be 😁. Just to ask the obvious: did you try running the same command on:
- another network? (for example using hotspot)
- another pc?
- another tenant?
We could at least rule out that it's your device.
Also, does it have targeted release enabled?
Not to my knowledge, kept it to the default options on creation. Where would I go to check?
@jacobsian-del you can check it at https://admin.microsoft.com/Adminportal/Home#/featureexplorer/:/Settings/L1/ReleasePreferences
Also, does it have targeted release enabled?
Not to my knowledge, kept it to the default options on creation. Where would I go to check?
@jacobsian-del you can check it at https://admin.microsoft.com/Adminportal/Home#/featureexplorer/:/Settings/L1/ReleasePreferences
Yep Standard Release.
Not at all, thanks for putting up with me for something I strongly suspect is going to end up being a personal problem :-)
It might just be 😁. Just to ask the obvious: did you try running the same command on:
- another network? (for example using hotspot)
- another pc?
- another tenant?
We could at least rule out that it's your device.
@jacobsian-del, did you have an answer to this as well?
Some preliminary findingings, but I'm on another network at another localtion today so this should make sure I have everything covered. WIll post findings later today
Well it's definitely a problem with me. Worked with my partner and he is able to run the command without issue from his computer against both his own tenant and mine without issue.
Good news is I have a trace, seems the call to create the Group site is getting rejected. Don't know why, but it's a concrete problem to trace. CLI_Capture.zip
Additionally, testing the failing API call in Powershell with curl was successful, while the API call made through the CLI fails. Fiddler trace and Curl script are attached below. CurlResults.zip
I'm suspecting that something in my node install is messed up?
Could you check if you have any of these environment variable configured on your machine: HTTP_PROXY, HTTPS_PROXY, NO_PROXY? If so, could you delete them, try logging out and logging in to CLI and see if it makes any difference?