SSL Error (_ssl.c:1006) when running az keyvault key list locally with Azure CLI

[ikhvjs]

Describe the bug

I try with the CLI for key vault below locally and an SSL error returned.

Related command

az keyvault key list --subscription my-sub-id --vault-name my-kv-name

Errors

[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)

Issue script & Debug output

Script:

az keyvault key list --subscription my-subs-id --vault-name my-kv-name

Debug Output:

cli.knack.cli: Command arguments: ['keyvault', 'key', 'list', '--subscription', 'my-subs-id', '--vault-name', 'my-kv-name', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x101538d60>, <function OutputProducer.on_global_arguments at 0x1015ebec0>, <function CLIQuery.on_global_arguments at 0x1016399e0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: keyvault                  0.052        20       113
cli.azure.cli.core: Total (1)                 0.052        20       113
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0  
cli.azure.cli.core: Loaded 20 groups, 113 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : keyvault key list
cli.azure.cli.core: Command table: keyvault key list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x10239d3a0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/myusername/.azure/commands/2024-01-02.14-27-20.keyvault_key_list.50672.log'.
az_command_data_logger: command args: keyvault key list --subscription {} --vault-name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x1024020c0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x102402160>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x1024022a0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x1015ebf60>, <function CLIQuery.handle_query_parameter at 0x101639a80>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x102402200>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/myusername/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/myusername/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/my-tenant-id/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/my-tenant-id/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/my-tenant-id/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
urllib3.connectionpool: Starting new HTTPS connection (1): my-kv-name.vault.azure.net:443
urllib3.connectionpool: Starting new HTTPS connection (2): my-kv-name.vault.azure.net:443
urllib3.connectionpool: Starting new HTTPS connection (3): my-kv-name.vault.azure.net:443
urllib3.connectionpool: Starting new HTTPS connection (4): my-kv-name.vault.azure.net:443
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 112, in keyvault_command_handler
    result = op(**command_args)
             ^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/command_modules/keyvault/custom.py", line 1155, in list_keys
    return [_ for _ in result if not getattr(_, 'managed')] if result else result
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/command_modules/keyvault/custom.py", line 1155, in <listcomp>
    return [_ for _ in result if not getattr(_, 'managed')] if result else result
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/paging.py", line 128, in __next__
    return next(self._page_iterator)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/paging.py", line 76, in __next__
    self._response = self._get_next(self.continuation_token)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/keyvault/keys/_generated/operations/_key_vault_client_operations.py", line 1510, in get_next
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 211, in run
    return first_node.send(pipeline_request)  # type: ignore
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/policies/_redirect.py", line 158, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/policies/_retry.py", line 468, in send
    raise err
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/policies/_retry.py", line 446, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication.py", line 118, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 1 more time]
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/_base.py", line 103, in send
    self._sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/core/pipeline/transport/_requests_basic.py", line 361, in send
    raise error
azure.core.exceptions.ServiceRequestError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 138, in keyvault_command_handler
    return keyvault_exception_handler(self.command_loader, ex)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 51, in keyvault_exception_handler
    raise CLIError(ex)
knack.util.CLIError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)

cli.azure.cli.core.azclierror: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)
az_command_data_logger: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x10239d620>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 11.352 seconds (init: 1.373, invoke: 9.979)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3628 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /Users/myusername/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

It should return list of keys.

Environment Summary

az version

{
  "azure-cli": "2.55.0",
  "azure-cli-core": "2.55.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "account": "0.2.5"
  }
}

MacOS version: 13.6.3 (22G436)

Additional context

We are using homebrew to install azure cli and we are behind proxy, related CA is added to /opt/homebrew/Cellar/azure-cli/*/libexec/lib/*/site-packages/certifi/cacert.pem regards to doc

[yonzhan]

Thank you for opening this issue, we will look into it.

[evelyn-ys]

Have you run az login successfully?