azure-cli: az login fails with CERTIFICATE_VERIFY_FAILED and I am not behind a proxy
This is autogenerated. Please review and update as needed.
Describe the bug
Fresh install of azure-cli 2.32.0. When I run az login, I get the following error:
HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) az_command_data_logger: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.
No proxy is defined on this system.
This occurs with my local ISP at home, as well as the hotspot on my phone. I get the same error if I call az upgrade
If I run ‘az --version’, I will get the error:
‘Unable to check if your CLI is up-to-date. Check your internet connection.’
I have removed all know python installation on my machine before I installed azure cli.
I will attach a debug file.
I also set the following environment variable, and that did not affect the response:
$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 $Env:ADAL_PYTHON_SSL_NO_VERIFY=1
Command Name
az login
Errors:
HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
- Open Powershell as an Administrator
az login --debug
Expected Behavior
Environment Summary
Windows-10-10.0.19041-SP0
Version 21H1 (OS Build 19043.1415)
Python 3.8.9
Installer: MSI
azure-cli 2.32.0
Additional Context
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 2
- Comments: 52 (17 by maintainers)
It seems really silly that Microsoft’s own CLI tool doesn’t use
pip-system-certsto support reading the certificate store from Windows itself.On a Windows CMD prompt or in PowerShell, run this command:
(you may need to do this as administrator, or change the path depending on how you installed the CLI)
This will install a hook that tells certifi, and thus requests, to use the Windows system certificates.
I tried all of the steps above in this ticket with varied degrees of success, however after running this last command:
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certsall is now well and I get the correct response from the command 😃 Thank you @jgentilHey!
Can you try this:
It should return: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Then use:
Basically we are explicitly giving to the “requests” library the path to the cacert (which it should do behind the scene even if you don’t pass a value into the ‘verify’ param)
If that command returns “200” (congrats!), it’s proving that you might have something conflicting with how “requests” library gets the certificates.
Let’s look for the culprit now.
Can you check the REQUESTS_CA_BUNDLE env variable? I believe in powershell you can do:
If that command returns something like a path, you found the culprit! You just need to append the root CA to that file, or change the env variable to point to:
Then try:
If that commands works, you’ll be able to use az login.
At the time we weren’t. We are now but IT did something to get around it.
They replaced my laptop and I am no longer having issues. Thanks for all the advice.
On Thu, Aug 17, 2023 at 6:14 PM, Alex Tjahjana @.***(mailto:On Thu, Aug 17, 2023 at 6:14 PM, Alex Tjahjana < wrote:
Ok. Thanks for your help. When I figure it out, I’ll post back to this thread if I can.
@borjamunozf have you tried to add the zscaler self signed cert into every certifi\cacert.pem that exists in your machine? each python installation uses their own certifi\cacert.pem. Try add ZScaler self-signed cert into cacert.pem in your C:\Users\XXX\AppData\Local\Programs\Python\Python311\Lib\site-packages\certifi\ folder, as well as the cacert.pem in your Azure CLI folder: either in C:\Program Files(x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\ or C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\ ?
I add zscaler into my cacert,pem in c:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\ and I can add the devops extension:
My issue was actually ZScaler. Kind of weird since all of my other az cli commands were working fine until az storage blob copy start
@speedwaymickey are you using ZScaler? If you do, that’s the cause. ZScaler ca isn’t recognised by azure CLI.
Had this same issue while trying to install an extension into azure CLI. Worked nicely on my macbook M1 2021. Had to use
az --versionand replace the python path with the path that was displayed. Thank you so much!@jgentil @jeffchiou @Joeboyc2 @TommyJab does this survive
az upgradewhen moving between versions of the Azure CLI?I’d like to avoid folks having to re-run this command periodically to fix
az upgradedue to the outcome ofaz upgrade.The downside of dumping a cert bundle and using that instead of the system certs is if the system cert store is managed by IT you still might have changing trusts that require you to export a new bundle (though the bundle option can fix Python/npm/et al if you set the right environment variables).