az keyvault certificate pending: error when pending certificate exists: 'NoneType' object has no attribute 'code'

[joshjcarrier]

Describe the bug

When a key vault certificate is stuck in a pending state, or there's a problem renewing the certificate, the pending certificate can be managed with the az keyvault certificate pending set of commands. For the show and delete subcommands, the error 'NoneType' object has no attribute 'code' when parsing the API response.

Related command

az keyvault certificate pending show --vault-name VAULT_NAME --name CERT_NAME

Errors

'NoneType' object has no attribute 'code' when parsing the API response.

Issue script & Debug output

cli.azure.cli.core.sdk.policies: Request URL: 'https://******.vault.azure.net/certificates/****/pending?api-version=7.4'
cli.azure.cli.core.sdk.policies: Request method: 'DELETE'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '******'
cli.azure.cli.core.sdk.policies:     'CommandName': 'keyvault certificate pending delete'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--vault-name --name --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.74.0 (RPM) azsdk-python-core/1.31.0 Python/3.12.9 (Linux-6.1.124.1-microsoft-standard-x86_64-with-glibc2.38) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: https://******.vault.azure.net:443 "DELETE /certificates/****/pending?api-version=7.4 HTTP/1.1" 200 2209
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-region': 'westus2'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '******'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '******'
cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-service-version': '1.9.2497.1'
cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-network-info': 'conn_type=Ipv4;addr=******;act_addr_fam=InterNetwork;'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 04 Jul 2025 00:29:55 GMT'
cli.azure.cli.core.sdk.policies:     'Content-Length': '2209'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"https://******.vault.azure.net/certificates/****/pending","issuer":{"name":"****"},"csr":"******","cancellation_requested":false,"status":"failed","status_details":"Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later.","error":{"code":"Request rejected","message":"**** rejected the request to create a certificate. Please check your configuration and try again.\nCertificateUrl: , HttpStatus: BadRequest, Correlation ID: ******. ErrorDetails: An attempt to create a certificate with **** failed with error Code 'ValidationError' having inner error Code 'InvalidField' and Message 'Certificate issuance is not allowed for the tenant ****** for the domain ******. The tenant's environment does not match the domain's environment.'. For help with any issues, visit ****.\n"},"request_id":"******"}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 109, in keyvault_command_handler
    result = op(**command_args)
             ^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/keyvault/certificates/_client.py", line 782, in delete_certificate_operation
    return CertificateOperation._from_certificate_operation_bundle(certificate_operation_bundle=bundle)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/keyvault/certificates/_models.py", line 492, in _from_certificate_operation_bundle
    error=(CertificateOperationError._from_error_bundle(certificate_operation_bundle.error)  # pylint: disable=protected-access
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/keyvault/certificates/_models.py", line 112, in _from_error_bundle
    inner_error=cls._from_error_bundle(error_bundle.inner_error)  # type: ignore
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/keyvault/certificates/_models.py", line 110, in _from_error_bundle
    code=error_bundle.code,  # type: ignore
         ^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'code'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
    return keyvault_exception_handler(ex)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
    raise CLIError(ex)
knack.util.CLIError: 'NoneType' object has no attribute 'code'

Expected behavior

The API response should be processed and output as per --output.

Environment Summary

azure-cli 2.74.0 *

core 2.74.0 *
telemetry 1.1.0

Extensions:
ml 2.37.1
ssh 2.0.6

Dependencies:
msal 1.32.3
azure-mgmt-resource 23.3.0

Python location '/usr/bin/python3.12'
Config directory '/home//.azure'
Extensions directory '/home//.azure/cliextensions'
Extensions system directory '/usr/lib/python3.12/site-packages/azure-cli-extensions'

Python (Linux) 3.12.9 (main, Mar 11 2025, 15:30:57) [GCC 13.2.0]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @joshjcarrier,

2.74.0 is not the latest Azure CLI(2.75.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.