az login fails with CERTIFICATE_VERIFY_FAILED and I am not behind a proxy #20921
Comments
ghost
added
needs-triage
ghost
removed
the
needs-triage
yonzhan
removed
the
question
|
@jiasli for awareness |
|
These 2 env vars don't work with MSAL-based Azure CLI: Please check if you are able to access https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration with
Also, in the web browser, please check if the certificate chain is correct. It should look like:
You may follow an article I wrote: https://github.com/jiasli/azure-notes/blob/master/cli/cli-proxy.md |
|
The Web browser works fine
[image.png]
Certification Path is the same as your previous comment.
Python Command Fails
PS C:\WINDOWS\system32> & "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import requests; print(requests.get('https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration').status_code)"
Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 699, in urlopen
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 382, in _make_request
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 1010, in _validate_conn
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connection.py", line 416, in connect
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
File "ssl.py", line 500, in wrap_socket
File "ssl.py", line 1040, in _create
File "ssl.py", line 1309, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/adapters.py", line 439, in send
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 755, in urlopen
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/retry.py", line 574, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/api.py", line 75, in get
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/api.py", line 61, in request
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/sessions.py", line 542, in request
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/sessions.py", line 655, in send
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
I worked with my IT department today, and confirmed there are no Proxies in my path.
I also have tested this on a Virtual Machine with Windows 10 Version 1909 and I am not encountering this problem.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
…On Thursday, January 6th, 2022 at 8:16 PM, Jiashuo Li ***@***.***> wrote:
These 2 env vars don't work with MSAL-based Azure CLI:
$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$Env:ADAL_PYTHON_SSL_NO_VERIFY=1
Please check if you are able to access https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration with
- Web browser
- & "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import requests; print(requests.get('https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration').status_code)"
Also, in the web browser, please check if the certificate chain is correct. It should look like:
[image](https://user-images.githubusercontent.com/4003950/148480403-4975447b-9819-4269-874e-84636646a982.png)
You may follow an article I wrote: https://github.com/jiasli/azure-notes/blob/master/cli/cli-proxy.md
—
Reply to this email directly, [view it on GitHub](#20921 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AXF4QPZO7NNCWCJSCF2WXXTUUZEJTANCNFSM5LMT34FA).
Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Your image is trimmed. Please directly reply in GitHub website. |
|
|
|
The certificate looks good. However, as Python itself can't access https://login.microsoftonline.com/, could you also check your env var for whether If so, could you clear them?
|
|
|
|
i am running into same issue too :( both HTTP_PROXY and HTTPS_PROXY values are not set for me too. |
|
Any progress on this? Is this an incompatibility between: Windows-10-10.0.19041-SP0 Version 21H1 (OS Build 19043.1415) and |
|
As Python itself can't connect to internet, there must be some proxy, otherwise Azure CLI won't work for other users... Could you also check the result of Also, what is the the proxy setting in Control Panel -> Internet Options -> Connections -> LAN settings:
|
|
PS C:\WINDOWS\system32> & "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import urllib.request; print(urllib.request.getproxies())"
Same results whether I am connected to my companies VPN or not. |
|
Have you manually edited I got the same error after deleting some entries in that file:
You may try to re-install Azure CLI. |
I continue to get the error:
I do not see the message "The default web browser has been opend at: ..." It fails before the attempt to open the browser. |
Yes, this is the expected behavior as I have MSAL HTTP cache. After deleting
If you download and install Python directly from https://www.python.org/downloads/ and install |
|
I installed the latest version, 3.10.1, directly from the python web site, and ran
|
|
I was able to install the requests pack via the following command:
When run:
I get the following error: PS C:\WINDOWS\system32> python -c "import requests; print(requests.get('https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration').status_code)" During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): |
|
@speedwaymickey, this indicates Python itself is not able to connect to the internet. Even Perhaps you can submit your question to https://bugs.python.org/ or https://stackoverflow.com/. |
|
I would also suggest you to try It may also be possible that your browser is actually using a proxy that doesn't intercept HTTPS traffic, all other HTTPS traffic (from Python, |
|
I currently don't have openssl on my laptop, that doesn't work, or my VM that does work. I can install it and give it try. Note: I am not convinced that the browser has anything to do with this problem as it doesn't appear to be an attempt to open the browser. I am not connected to my companies network or VPN. Just my ISP. |
|
I can post the entire output from openssl if it doesn't disclose any private information. But I am seeing information like: PS C:\WINDOWS\system32> openssl s_client -showcerts -servername login.microsoftonline.com -connect login.microsoftonline.com:443
|
I am referring to the test we did in #20921 (comment). Looks like How about when |
|
That seems to look okay: PS C:\WINDOWS\system32> echo Q | openssl s_client -showcerts -servername login.microsoftonline.com -connect login.microsoftonline.com:443 -CAfile "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
|
|
@odoo-ce-modules, this is usually due to incomplete certificate chain in |
|
It seems really silly that Microsoft's own CLI tool doesn't use On a Windows CMD prompt or in PowerShell, run this command: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs(you may need to do this as administrator, or change the path depending on how you installed the CLI) This will install a hook that tells certifi, and thus requests, to use the Windows system certificates. |
This worked for me - fixed SSL error when installing extensions. |
|
I tried all of the steps above in this ticket with varied degrees of success, however after running this last command: |
|
thank you very much
Thank you very much for your solution, you save me from madness. Best regards, |
|
@jgentil @jeffchiou @Joeboyc2 @TommyJab does this survive I'd like to avoid folks having to re-run this command periodically to fix The downside of dumping a cert bundle and using that instead of the system certs is if the system cert store is managed by IT you still might have changing trusts that require you to export a new bundle (though the bundle option can fix Python/npm/et al if you set the right environment variables). |
Had this same issue while trying to install an extension into azure CLI. Worked nicely on my macbook M1 2021. Had to use |
|
Thank you so much, installing I got the az cli to work again :) Thank you very much! |
You absolute legend, saved me from madness....my pc, almost agonizing after all the RAM was depleted with 20+ chrome tabs open, my eyes...weary and teary reading another time the documentation squinting my eyes to see if I missed something, alas I had given hope. Thank you, this solved my issue. Kudos to you! |
|
Using Using |
|
@speedwaymickey are you using ZScaler? If you do, that's the cause. ZScaler ca isn't recognised by azure CLI. |
|
At the time we weren’t. We are now but IT did something to get around it.
They replaced my laptop and I am no longer having issues. Thanks for all the advice.
…On Thu, Aug 17, 2023 at 6:14 PM, Alex Tjahjana ***@***.***(mailto:On Thu, Aug 17, 2023 at 6:14 PM, Alex Tjahjana <<a href=)> wrote:
***@***.***(https://github.com/speedwaymickey) are you using ZScaler? If you do, that's the cause. ZScaler ca isn't recognised by azure CLI.
—
Reply to this email directly, [view it on GitHub](#20921 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AXF4QP4QUAL2AKAFRJDFRH3XV2QXDANCNFSM5LMT34FA).
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
My issue was actually ZScaler. Kind of weird since all of my other az cli commands were working fine until az storage blob copy start |
|
Hello. I'm having the same issue when running this command: az extension add --name azure-devopsI have Azure Cli installed from PIP: pip install azure-cliaz loginworks. Also using ZScaler. Tested all workarounds without success:
Any idea how to fix this? @u362jsim how did you fix with Zscaler? |
|
Hey there, could you try the procedure outlined in this comment:
#20921 (comment)
…On Mon, Sep 11, 2023 at 11:21 AM borjamunozf ***@***.***> wrote:
Hello. I'm having the same issue when running this command:
az extension add --name azure-devops
I have Azure Cli installed from PIP:
pip install azure-cli
az login
works.
Also using *ZScaler*.
Tested all workarounds without success:
- pip install pip-system-certs
- modifiyng the certify/cacert.pem adding Zscaler.
- setting HTTP_PROXY
- disabling AZURE_CLI_DISABLE_VERIFICATION
- setting SSL_CERT to Zscaler.crt/pem
Any idea how to fix this?
@u362jsim <https://github.com/u362jsim> how did you fix with Zscaler?
—
Reply to this email directly, view it on GitHub
<#20921 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AH4V7XYWGXDGY6F54TAURPDXZ4T6BANCNFSM5LMT34FA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hi @borjamunozf I wrote how I sort out the ZScaler cert issue in my blog: https://medium.com/@alextjahjana/ssl-issue-with-aws-cli-azure-cli-and-python-5cadd5ac07c4 |
I have tried your solution @alexkusuma but it does not work for me neither. |
|
Hey @borjamunozf, could you try using the python.exe located in the Azure CLI directory just to make sure, something that looks like this:
I noticed you used the python.exe in If you don't find it, try to install it from the official .msi: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli |
|
@borjamunozf have you tried to add the zscaler self signed cert into every certifi\cacert.pem that exists in your machine? each python installation uses their own certifi\cacert.pem. I add zscaler into my cacert,pem in c:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\ and I can add the devops extension: |
|
Turns out i had to unset any of these Env vars: 1012 unset CURL_CA_BUNDLE |
|
Finally, the issue on my side had been resolved setting up HTTP_PROXY &
HTTPS_PROXY environment variables correctly. I had the HTTPS_PROXY with
invalid value.
El mar, 3 oct 2023 a las 0:23, Olmo Rupert ***@***.***>)
escribió:
… Turns out i had to unset any of these Env vars:
1012 unset CURL_CA_BUNDLE
1013 unset REQUESTS_CA_BUNDLE
1014 unset HTTPLIB2_CA_CERTS
—
Reply to this email directly, view it on GitHub
<#20921 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGFV5D3PL57GEU3BIZIVICDX5M5EJAVCNFSM5LMT34FKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCNZUGM4DKMRYGUZQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Just to add to this fantastic solution by @jgentil - in my case pip was unfortunately blocked by corporate firewall (and it takes ages to unblock anything). If you're in same position, you can always download whl file for pip-system certs from pypi.org and then just install it from local directory: &"your_az_cli_python" -m pip install ./some_path/pip_system_certs-4.0-py2.py3-none-any.whlPlease note that pip-system-certs depends on wrapt package, but it actually comes with az cli itself, so you don't need to install it. Also be sure to verify az cli python path with |
It works for me, thants a lot for helping me out!😁 |
|
This happend to me on linux, the reason was because the first call to login.microsoftonline.com was being intercepted and needed a specific root ca to complete the call, once authenticated there's a callback to management.azure.com to download tenant and subscription info, this was not being intercepted but I had set I loaded my system store with the interception bundle properly and set azcli bundle to the system store so it could handle both calls |
This work for me too! |
|
[SSL: CERTIFICATE_VERIFY_FAILED]? I solved doing |
and others
This is autogenerated. Please review and update as needed.
Describe the bug
Fresh install of azure-cli 2.32.0. When I run
az login, I get the following error:HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
az_command_data_logger: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.
No proxy is defined on this system.
This occurs with my local ISP at home, as well as the hotspot on my phone. I get the same error if I call
az upgradeIf I run 'az --version', I will get the error:
'Unable to check if your CLI is up-to-date. Check your internet connection.'
I have removed all know python installation on my machine before I installed azure cli.
I will attach a debug file.
I also set the following environment variable, and that did not affect the response:
$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$Env:ADAL_PYTHON_SSL_NO_VERIFY=1
Command Name
az loginErrors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az login --debugExpected Behavior
Environment Summary
Additional Context
az.login.debug.log
The text was updated successfully, but these errors were encountered: