Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az login fails with CERTIFICATE_VERIFY_FAILED and I am not behind a proxy

See original GitHub issue

This is autogenerated. Please review and update as needed.

Describe the bug

Fresh install of azure-cli 2.32.0. When I run az login, I get the following error:

HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) az_command_data_logger: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

No proxy is defined on this system.

This occurs with my local ISP at home, as well as the hotspot on my phone. I get the same error if I call az upgrade

If I run ‘az --version’, I will get the error:

‘Unable to check if your CLI is up-to-date. Check your internet connection.’

I have removed all know python installation on my machine before I installed azure cli.

I will attach a debug file.

I also set the following environment variable, and that did not affect the response:

$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 $Env:ADAL_PYTHON_SSL_NO_VERIFY=1

Command Name az login

Errors:

HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Open Powershell as an Administrator
az login --debug

Expected Behavior

Environment Summary

Windows-10-10.0.19041-SP0
Version 21H1 (OS Build 19043.1415)
Python 3.8.9
Installer: MSI

azure-cli 2.32.0

Additional Context

az.login.debug.log

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:36 (14 by maintainers)

Top GitHub Comments

3reactions

jgentilcommented, Jul 20, 2022

It seems really silly that Microsoft’s own CLI tool doesn’t use pip-system-certs to support reading the certificate store from Windows itself.

On a Windows CMD prompt or in PowerShell, run this command:

"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs

(you may need to do this as administrator, or change the path depending on how you installed the CLI)

This will install a hook that tells certifi, and thus requests, to use the Windows system certificates.

2reactions

Joeboyc2commented, Jul 28, 2022

I tried all of the steps above in this ticket with varied degrees of success, however after running this last command: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs all is now well and I get the correct response from the command 😃 Thank you @jgentil