az login fails with CERTIFICATE_VERIFY_FAILED and I am not behind a proxy
See original GitHub issueThis is autogenerated. Please review and update as needed.
Describe the bug
Fresh install of azure-cli 2.32.0. When I run az login
, I get the following error:
HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) az_command_data_logger: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.
No proxy is defined on this system.
This occurs with my local ISP at home, as well as the hotspot on my phone. I get the same error if I call az upgrade
If I run ‘az --version’, I will get the error:
‘Unable to check if your CLI is up-to-date. Check your internet connection.’
I have removed all know python installation on my machine before I installed azure cli.
I will attach a debug file.
I also set the following environment variable, and that did not affect the response:
$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 $Env:ADAL_PYTHON_SSL_NO_VERIFY=1
Command Name
az login
Errors:
HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
- Open Powershell as an Administrator
az login --debug
Expected Behavior
Environment Summary
Windows-10-10.0.19041-SP0
Version 21H1 (OS Build 19043.1415)
Python 3.8.9
Installer: MSI
azure-cli 2.32.0
Additional Context
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:36 (14 by maintainers)
Top GitHub Comments
It seems really silly that Microsoft’s own CLI tool doesn’t use
pip-system-certs
to support reading the certificate store from Windows itself.On a Windows CMD prompt or in PowerShell, run this command:
(you may need to do this as administrator, or change the path depending on how you installed the CLI)
This will install a hook that tells certifi, and thus requests, to use the Windows system certificates.
I tried all of the steps above in this ticket with varied degrees of success, however after running this last command:
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs
all is now well and I get the correct response from the command 😃 Thank you @jgentil