AZ Login fails with SSL intercept for 2.77.0

[dmcrae-fi]

Describe the bug

When in an environment using SSL decryption for outbound traffic, v2.77.0 does not acknowledge the SSL configuration passed in from the cacert.pem file and environment variable being set that all other versions do. There is no updated documentation for a different configuration required for this version. 2.76.0 worked just fine.
Command Name
az login

Errors:

PS Z:\> az login
az : ERROR: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by 
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)')))
At line:1 char:1
+ az login
+ ~~~~~~~~
    + CategoryInfo          : NotSpecified: (ERROR: HTTPSCon...ssl.c:1032)'))):String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the 
trusted CA bundle. More info: https://learn.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• Configure cacert.pem with intercept cert, set CA_REQUESTS_BUNDLE environment variable. Worked in all prior installed versions including 2.76.0
• az login

Expected Behavior

Acknowledge the certificate in the ca bundle and continue login operations

Environment Summary

Windows-11-10.0.22631-SP0
Python 3.12.10
Installer: MSI

azure-cli 2.77.0 *

Additional Context

Have attempted 32 and 64 bit on 2.77.0 with same behavior. 2.76.0 works fine, and even down to 2.35.0 worked fine with the documented configuration for an SSL intercept.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Az CLI 2.77.0 ssl issues #32108
• 2.77.0 raises error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #32083
• azure cli proxy connection issue from windows  #21696
• Setting the AZURE_CLI_DISABLE_CONNECTION_VERIFICATION does not have any effect for SSL verification #9001
• unable to login to AZ  #13032

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Here is a workaround for today:

- task: CmdLine@2
  displayName: "Downgrade Azure CLI to 2.76.0"
  inputs:
    script: |
      # Obtain the currently installed distribution
      AZ_DIST=$(lsb_release -cs)

      # Store an Azure CLI version of choice
      AZ_VER=2.76.0

      # Install a specific version
      sudo apt-get install --allow-downgrades -y azure-cli=${AZ_VER}-1~${AZ_DIST}

Reference:

• Az CLI 2.77.0 ssl issues #32108 (comment)

Solution 2:

Thanks for looking into it. Upon further investigation I've found it's related to Python 3.13 stricter SSL controls. The AKI property is now required within the certificate.

The certificate I was using for an internal CA does not have the AKI property.

This is why the same cert bundle worked with the previous az cli version and with openssl. It appears this is intended behavior from python.

Related issues below:
python/cpython#138193
ansible/ansible#85460
kubernetes-client/python#2394

Reference:

• 2.77.0 raises error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #32083 (comment)

Solution 3:

Basically, grab the CA cert of the Proxy and update the cert on azure-cli - cacert.pem. Then just update the env. variable with echo REQUESTS_CA_BUNDLE=PATH/CACERT.PEM.

Note: Perform similar steps when you upgrade the cli version. learned that the hard way.

Reference:

• unable to login to AZ  #13032 (comment)

Powered by issue-sentinel

[magodo]

Python3.13 introduces strict SSL verify flags, which breaks Python users that use a proxy to intercept the requests. E.g. given the following simple example:

import requests
# Send a GET request to GitHub
response = requests.get("https://github.com")

It failed to run behind a proxy (even with the REQUESTS_CA_BUNDLE env var specified):

urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)
From the error message, it turns out to be the AKI property of the certificate your proxy was using is missing.

The solution is to update your proxy's certificate to make it strict mode compliant. E.g. for the mitmproxy, since its v10.1.2 release, it has fixed this issue in PR: mitmproxy/mitmproxy#6410.

Based on above, this is a user side issue caused by Python 3.13, rather than an Azure CLI issue.