azure-cli: az extension add --name azure-devops failing with SSL error

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug Unable to install az cli extensions

To Reproduce az extension add --name azure-devops

Errors:

Unable to get extension index.
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='azcliextensionsync.blob.core.windows.net', port=443): Max retries exceeded with url: /index1/index.json (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

Expected behavior Able to install az cli extensions

Environment summary

Shell Type: zsh OS Version: macOS Catalina 10.15.7 Installer: HOMEBREW

$ az --version
azure-cli                         2.22.1

core                              2.22.1
telemetry                          1.0.6

Extensions:
interactive                        0.4.3

Python location '/usr/local/Cellar/azure-cli/2.22.1/libexec/bin/python'
Extensions directory '/Users/gl741q/.azure/cliextensions'

Python (Darwin) 3.8.9 (default, Apr  3 2021, 01:50:09)
[Clang 12.0.0 (clang-1200.0.32.29)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context I am working from behind my company’s proxy. They are inserting their own self-signed cert to decrypt our traffic for inspection. I have a copy of this certificate on my computer I have followed the instructions here: https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy I have exported my company’s internal certificate location on my laptop:REQUESTS_CA_BUNDLE=$HOME/certs/internal.pem Other az commands work just fine like az login or az group list. So far I am only having issues with az extension add.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 4
  • Comments: 20 (3 by maintainers)

Most upvoted comments

@georgejdli

My company sort of fixed it for me (but I have found some workaround as well) - by skipping SSL verification on aka.m, so now it works for me without private cert. (but I had issues with installing stream-analytics package)

I think the problem you are facing is the fact that your company is bypassing some of the SSL verifications, but not all. It seems the installation of extentions is following process:

  1. Request to https://aka.ms
  2. Request redirected to: https://azcliextensionsync.blob.core.windows.net (to map name to extension URL)
  3. New request to https://azurecliprod.blob.core.windows.net to finally download the extension

For me the problem was everything under *.windows.net skipped SSL verification, but aka.ms didn’t. The problem is if you skip SSL verification, but still apply self-signed one, it will fail (at least this is my understanding).

You can try direct download call to download the extension by doing following steps:

  1. Navigate to: https://azcliextensionsync.blob.core.windows.net/index1/index.json this should give you the URL to the extension you want to install.
  2. (At the time of the writing I guess it is: https://github.com/Azure/azure-devops-cli-extension/releases/download/20190805.1/azure_devops-0.12.0-py2.py3-none-any.whl
  3. Invoke command: az extension add --source https://github.com/Azure/azure-devops-cli-extension/releases/download/20190805.1/azure_devops-0.12.0-py2.py3-none-any.whl

That should hopefully work for you, if github.com is exempt from SSL verification, you shouldn’t provide the self-signed certificate path under ENV variable as it is actually going to break it.

+11
akomisarek on Jun 2, 2021

I resolved this problem by not using my (protected) company WiFi. Just connected to the guest network the time of the download. Maybe it helps

+5
zoesalome on May 20, 2022

Just a note on this.

I came across this when running az extension add --name aks-preview and the pip install pip-system-certs approach didn’t work for me.

$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 was the only way to work around the error.

+4
megakid on Nov 23, 2022

@akomisarek’s comment is correct. Thanks!

It’s very likely that your company skipped SSL/TLS verification for some domains, like .windows.net.

An easier solution would be to append standard Python root CAs to your pem file:

REQUESTS_CA_BUNDLE=$HOME/certs/internal.pem

You may get it from https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem

Then Azure CLI will use both your internal certificate and Python’s public certificate. This is mentioned at https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy

Append the proxy server’s certificate to this file or copy the contents to another certificate file, then set REQUESTS_CA_BUNDLE to it.

You may test the connectivity to a domain using

python -c "import requests; print(requests.get('https://azcliextensionsync.blob.core.windows.net/').status_code)"
+4
jiasli on Jun 3, 2021

None of the solutions listed here worked for me. But I was able to install the extension by locating its download URL in the public index at https://raw.githubusercontent.com/Azure/azure-cli-extensions/main/src/index.json and then running

az extension add --source <download-url>
+1
sethlivingston on Dec 15, 2023

I had to allow https traffic to *.aka.ms and aka.ms as well as *.github.com and github.com. This allowed me to install the az cli extensions. Previously we only had *.aka.ms and *.github.com allowed but that didn’t also allow aka.ms and github.com.

+1
BudroidWV on Mar 15, 2023

@jgentil had a solution that worked for me: https://github.com/Azure/azure-cli/issues/20921#issuecomment-1190714888

Basically run "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs.

+1
jeffchiou on Jul 21, 2022

I received the same error message when I had fiddler running!

+1
RobBowman on Jul 19, 2022

FWIW, I get this error running in a Windows VM in Azure. No corporate proxy. Win 2022 Datacenter. I’d have hoped that this wouldn’t happen there as well?

+1
WaitingForGuacamole on Jun 7, 2022

@eschrader, Installing from whl is the last resort for solving issues like this, as it doesn’t work with az upgrade which upgrades all your extensions automatically. You will also have to repeat this process for all extensions you need to install.

We still recommend adding your corp proxy root CA to Azure CLI’s pem file to avoid further obstruction.

+1
jiasli on Aug 2, 2021
Read more comments on GitHub
← azure-cli: az eventhubs eventhub update --enable-capture $false doesn't disable capture
azure-cli: az functionapp Azure Cli deploy error (v2) →