azure-cli: SSL: CERTIFICATE_VERIFY_FAILED error on "az aks install-cli"

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az aks install-cli

Errors:

The command failed with an unexpected error. Here is the traceback:


<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
Traceback (most recent call last):
  File "urllib\request.py", line 1318, in do_open
  File "http\client.py", line 1239, in request
  File "http\client.py", line 1285, in _send_request
  File "http\client.py", line 1234, in endheaders
  File "http\client.py", line 1026, in _send_output
  File "http\client.py", line 964, in send
  File "http\client.py", line 1400, in connect
  File "ssl.py", line 407, in wrap_socket
  File "ssl.py", line 817, in __init__
  File "ssl.py", line 1077, in do_handshake
  File "ssl.py", line 689, in do_handshake
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-kl_cpqvn\knack\cli.py", line 215, in invoke
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-d55550gx\azure\cli\core\commands\__init__.py", line 654, in execute
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-d55550gx\azure\cli\core\commands\__init__.py", line 718, in _run_jobs_serially
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-d55550gx\azure\cli\core\commands\__init__.py", line 711, in _run_job
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-imoq0319\six.py", line 703, in reraise
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-d55550gx\azure\cli\core\commands\__init__.py", line 688, in _run_job
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-d55550gx\azure\cli\core\commands\__init__.py", line 325, in __call__
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-d55550gx\azure\cli\core\__init__.py", line 779, in default_command_handler
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-clkvqii1\azure\cli\command_modules\acs\custom.py", line 324, in k8s_install_cli
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-clkvqii1\azure\cli\command_modules\acs\custom.py", line 340, in k8s_install_kubectl
  File "urllib\request.py", line 223, in urlopen
  File "urllib\request.py", line 526, in open
  File "urllib\request.py", line 544, in _open
  File "urllib\request.py", line 504, in _call_chain
  File "urllib\request.py", line 1361, in https_open
  File "urllib\request.py", line 1320, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

az aks install-cli

Expected Behavior

Environment Summary

Windows-10-10.0.17763-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.10.1

Extensions:
aks-preview 0.4.60

Additional Context

Operating System is Windows Server 2019 Datacenter on Azure Size is Standard A1 v2 (1 vcpus, 2 GiB memory) Confirmed ability to reach external websites after RDPing into system

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 15 (3 by maintainers)

Most upvoted comments

From the error message File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-clkvqii1\azure\cli\command_modules\acs\custom.py", line 340, in k8s_install_kubectl, az aks install-cli failed when installing kubectl from https://storage.googleapis.com/kubernetes-release/.

There are multiple issues about “CERTIFICATE_VERIFY_FAILED”. https://github.com/Azure/azure-cli/issues?q=CERTIFICATE_VERIFY_FAILED In #12246, the issue is fixed by manually installing the certificate.

I think, it’s related to the certificates installed on your system.

If the az aks install-cli needs certificates, with respect to the Python bug, is there a reason it can’t download / deploy them as a part of it’s functionality? Without installing the certificates as part of it’s package, it means a lot of babysitting and micromanagement. Additionally, I think (in particular) the Azure image for Datacenter 2019 should absolutely contain any needed certificates.

Steven-Tuccio-wwt on Sep 9, 2020

I just ran into the same error on a clean Windows 11 install and after digging around the web came up with a simple solution (for Windows). As noted above, the problem is that the CA cert chain is not in the cert store.

Results from the web started with downloading a .pem file from an unknown (to me) source. Since these are the root certs, I wasn’t comfortable with that.

Fortunately, az already has the cacert.pem file on disk.

copy "c:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"

The next step is to use openssl to convert the .pem file to a .pfx file. I used the openssl from git bash.

"c:\Program Files\Git\usr\bin\openssl.exe" pkcs12 -export -nokeys -out cacert.pfx -in cacert.pem

The last step is to load the .pfx file into your cert store.

powershell Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath cacert.pfx;

I hope this saves someone some time!

bartr on Mar 15, 2024

@Steven-Tuccio-wwt Apologies for the late reply. Is there a proxy in your environment ? Could you please try to run the command on a another machine which is on a different network and check if that works fine ? If this is not feasible you can append your corporate proxy certificate(s) to the end of the certifi library’s cacert.pem file. Sharing the location of this on Windows: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem

Please let me know if you face any issue while testing this. Awaiting your reply.

navba-MSFT on Feb 15, 2022