How to fix ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported

Question

How to fix ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported

Bhagat, Anil 0

Hi All,

I am using Azure Default Xero connector + OAuth2.0 flow. I have supplied the required information

Client ID
Client Secret
Tenant Id
REfresh Token

If I click on TEst Connection , I get below mentioned error. Can you please help ?

ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported

Kalyani Kondavaradala 1,015 Reputation points Microsoft External Staff Moderator

2025-08-29T18:06:31.5533333+00:00
Hi @Bhagat, Anil

Thanks for your query on Microsoft Q&A!

I would like to add few more details to the Amira's suggestion.

This error occurs because the connector’s cryptographic library cannot decode the format of the RSA private key used to sign the JWT assertion for Xero’s OAuth 2.0 flow. Specifically, the connector expects the private key to be in PKCS#8 format.

you might be using PKCS#1 key (BEGIN RSA PRIVATE KEY) instead of PKCS#8 (BEGIN PRIVATE KEY)

Thanks for confirming that you are using OAuth2.0 for linked service and can you please try below steps to mitigate the issue.

**1. Convert Your RSA Key to PKCS#8 Format:**If you have a .pem key in PKCS#1 format, convert it using OpenSSL:

openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_key.pem -out key_pkcs8.pem -nocrypt

This creates an unencrypted PKCS#8 key compatible with the connector.

**2. Bundle the Key and Certificate into a PFX File:**Use OpenSSL to create a .pfx file:

openssl pkcs12 -export -inkey key_pkcs8.pem -in cert.pem -out xero_cert.pfx -nodes

If you prefer to set a password, omit -nodes and add -password pass:<YourPassword>.

3. Convert the PFX to Base64: Many Azure connectors require the certificate in Base64 format.

$bytes = [IO.File]::ReadAllBytes("xero_cert.pfx") [Convert]::ToBase64String($bytes) | Out-File -FilePath "xero_cert_base64.txt"

4. Configure the Xero Linked Service: In Azure Data Factory or Synapse:

Go to Manage > Linked Services > + New > Xero

Choose OAuth 2.0 as the authentication type

Enter your Client ID, Client Secret, Tenant ID, and Refresh Token

Paste the Base64 string from xero_cert_base64.txt into the Certificate field

Enter the PFX password if applicable

Click Test Connection

Please let us know how this working for you, if issue still persist can share screenshots for error message and configuration of linked service? and confirm following

Did the configuration work previously (i.e., was it ever successfully connected)?

Can you confirm if you accidentally selected any other authentication method in the settings?

Hope you have required privileges to access the client id and client secrets.

Thanks!

Kalyani

2 answers

Your answer

Answer 1

Hello Anil !

Thank you for posting on Microsoft Learn.

That error means the driver is trying to do an RSA (PEM) signature and OpenSSL can’t decode the key it was given. In practice, this happens when the Xero linked service is (accidentally) behaving like OAuth 1.0a (which used RSA keys) instead of pure OAuth 2.0 or when a PEM-looking value is pasted where a client secret should go.

You need to force OAuth 2.0 in the linked service JSON where you open your Xero linked service (code view) and verify:

"type": "Xero",
"typeProperties": {
  "connectionProperties": {
    "host": "api.xero.com",
    "authenticationType": "OAuth_2.0",
    "consumerKey": { "type": "SecureString", "value": "<CLIENT_ID>" },
    "privateKey": { "type": "SecureString", "value": "<CLIENT_SECRET>" },
    "tenantId": "<TENANT_ID>",
    "refreshToken": { "type": "SecureString", "value": "<REFRESH_TOKEN>" }
  }
}

in OAuth 2.0 the field named privateKey is actually the client secret, just a plain string.

Don’t paste any -----BEGIN ... PRIVATE KEY----- blocks there, those are only for OAuth 1.0a and will trigger the RSA/DECODER error.

https://learn.microsoft.com/en-us/azure/data-factory/connector-xero

If the dropdown was set to OAuth 1.0a at any point, the driver will try to parse a PEM and sign with RSA. Switch to OAuth 2.0 and re-save. The Xero connector doc explicitly distinguishes the two and shows PEM only for OAuth 1.0a.

Answer 2

Hello Bhagat, Anil,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to fix all the errors.

@Amira Bedhiafi have done a lot of justice in providing best resolution, just an addition to her response on Xero refresh tokens rotate. In Xero’s OAuth 2.0 flow, every time you use a refresh token to get a new access token, you also receive a brand-new refresh token, and the old one immediately becomes invalid. If you don’t update and store the latest refresh token (for example, in Azure Key Vault), future connection attempts will fail even if the initial test connection worked. This refresh-token rotation is a common follow-up issue in Xero integrations and is worth highlighting. Check for more details here - https://developer.xero.com/documentation/oauth2/overview

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

How to fix ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported ERROR [HY000] [Microsoft][Xero] (1019) Unable to complete RSA Signature: error:1E08010C:DECODER routines::unsupported

2 answers

Your answer