I'm having a real nightmare of a time switching from the 2024 suitecloud CLI to 2025 with OAuth 2. I've set up credentials and environment variables in every way I can think to, have tried each token type they mention here, to no avail; always getting an authentication error:

There was an error with the private key used to authenticate. Verify the contents of the private key.

I've tried a lot of combinations but right now I'm using the command exactly as they have it in the docs with an up-to-date openssl, switching between ES256 and ES512. I know that, in general, this could be a million things and cryptography messes are always hard to clean up, but my hope is one of you has been through this pain already and might be able to save me some, since the troubleshooting docs are of no help and just tell me to generate a new certificate (which i have, many times) 😅 I'm using WSL2 on windows (ubuntu 22) but have already worked through the issues with the keyring/lack of browser support. Specifically the command throwing the error is:

suitecloud account:setup:ci --account 1234567 --authid named-authid-here --certificateid CERTIFICATE_ID_HERE --privatekeypath ~/path/to/private.pem

SUITECLOUD_CI=1

and

SUITECLOUD_CI_PASSKEY

are set, I've reinstalled the entire CLI and fully removed the old version. The command is finding the right file, because an invalid path throws a different error. And help or general ideas/footguns to be aware of would be handy!

i do remember having issues with neither ES256 nor ES512 working but RSA did work, the third example on that docs page (here modified with the maximum allowed 730 days rather than the 365 in the example)

openssl req -new -x509 -newkey rsa:4096 -days 730 -keyout private.pem -sigopt rsa_padding_mode:pss -sha256 -sigopt rsa_pss_saltlen:64 -out public.pem -nodes

Yeah, absolutely this is correct @Jonathan MacKenzie. I tried all three on that page but I think I got unlucky and fatfingered something when I tried specifically RSA-PSS the first time, haha. I've used ES before for RESTlet auth so I figured I'd stick with what I had experience with after that. I tried several ways of generating the ES tokens, both as provided in the examples and with other

openssl

commands, in powershell and wsl, openssl 3.0 and 3.5, and none of them work. Still no idea why, although my best guess is it's either a bug in >2025.1 or the suitecloud node CLI (more likely?) that improperly associates ES keys with old RSA keys somehow, or a slight misdocumentation in what is actually supported that I'm not smart enough to sniff out. Thank you so much for your help, truly a lifesaver! This ate literally half my day, I was moments from ron swansoning my computer and moving to antarctica

ha yeah it was a real headscratcher for me too, luckily there were two of us on my team trying to figure it out at the same time so that helped, one of us eventually tried the rsa one and it worked 😛 i guess another thing to watch out for if you're planning on also using the webstorm or vscode plugin is making sure those environment variables are set globally and in a way that the ide will see them, i wasted half a day figuring out that webstorm wasn't seeing my environment variables because i ran the launchctl command (i'm on macos) within tmux in iterm2 and one or other of those facts meant it wasn't the same "calling context" and webstorm wasn't seeing it, running those commands from the native terminal app worked. that one had me considering antarctica too 🐧

WSL2 supports browsers and gnome-keyring (we used Seahorse). On more recent builds I think some folks had issues where they had to launch seahorse to initialize or something, then suitecloud cli was happy. Haven't seen any issues like this on macOS though.

@Alex Howley the problem is the command line you used to generate cert here the correct one openssl req -x509 \ -newkey rsa:4096 \ -sha256 \ -keyout private.key \ -out public.pem \ -noenc \ -subj "/CN=NetSuite M2M"

@Shawn Talbert Yeah, I did encounter issues with ensuring the keyring registered with the CLI, but I was able to get that worked out alright. At least, after I stopped getting an error pointing toward the keyring, that's when I learned browser-based auth is incompatible with WSL (which is documented here and reflected in my attempts). Seems I have to use the CI commands if I want to stay in the terminal, which isn't a huge deal, if a little tedious. Although if you're saying you've seen the 2025 CLI working with browser auth on WSL, I'll definitely still investigate and that's handy to know! @Execfy Thanks, the RSA token worked fine though - just the ES tokens weren't working with the newest versions of the CLI, for one reason or another

@Alex Howley browser based auth certainly works in WSL - if you are using WSL across the board. In our case we ran basically everything in WSL - including webstorm and MS Edge and it all works. Perhaps you had issues related to getting the default browser to launch - I recall some struggles around that, but we've been using this combo for years. However, I personally haven't been using it for several months since switching to macOS where everything just works without struggle.

@Shawn Talbert I think this might have changed with the 2025 CLI and OAuth 2 being required, I've also had no problem with it until updating to the new version. My default browser opens in general no problem (

BROWSER

is set,

xdg_open

works,

open

works) but any attempt at using browser-based auth just tells me it's not allowed, regardless of if and how

SUITECLOUD_CI

is set:

suitecloud account:setup -i

> Browser-based authentication is not allowed for the current execution context.
> For more information, see <https://system.netsuite.com/app/help/helpcenter.nl?fid=article_0113125121.html>.

I'd love to be wrong though, I might just not understand the tool enough to set up a proper workaround

I wish I could help you directly, but I sent my thinkpad back to the mothership a while back, left only with macOS now 🙂

this probably isn't it but we did run into this here and took us a minute to figure it out: you'll still get that error if

SUITECLOUD_CI_PASSKEY

is set, even if

SUITECLOUD_CI

is not

let me ask some colleagues still on windows/wsl if they are having any issues

@Jonathan MacKenzie absolutely hilarious

the docs page linked in the error message does explicitly say that but you def wouldn't expect it

@Shawn Talbert thanks for your patience with my yapping, that ^ was in fact my issue

2 for 2 with running into the same problems i hit my head against the last couple weeks haha

Well, they are a

MacKenzie

after all https://outlander.fandom.com/wiki/MacKenzie_of_Leoch