az extension add --name azure-devops failing with SSL error
See original GitHub issue
az feedbackauto-generates most of the information requested below, as of CLI version 2.0.62
Describe the bug Unable to install az cli extensions
To Reproduce
az extension add --name azure-devops
Errors:
Unable to get extension index.
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='azcliextensionsync.blob.core.windows.net', port=443): Max retries exceeded with url: /index1/index.json (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
Expected behavior Able to install az cli extensions
Environment summary
Shell Type: zsh OS Version: macOS Catalina 10.15.7 Installer: HOMEBREW
$ az --version
azure-cli 2.22.1
core 2.22.1
telemetry 1.0.6
Extensions:
interactive 0.4.3
Python location '/usr/local/Cellar/azure-cli/2.22.1/libexec/bin/python'
Extensions directory '/Users/gl741q/.azure/cliextensions'
Python (Darwin) 3.8.9 (default, Apr 3 2021, 01:50:09)
[Clang 12.0.0 (clang-1200.0.32.29)]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
I am working from behind my company’s proxy. They are inserting their own self-signed cert to decrypt our traffic for inspection. I have a copy of this certificate on my computer
I have followed the instructions here: https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy
I have exported my company’s internal certificate location on my laptop:REQUESTS_CA_BUNDLE=$HOME/certs/internal.pem
Other az commands work just fine like az login or az group list. So far I am only having issues with az extension add.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:16 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@georgejdli
My company sort of fixed it for me (but I have found some workaround as well) - by skipping SSL verification on aka.m, so now it works for me without private cert. (but I had issues with installing stream-analytics package)
I think the problem you are facing is the fact that your company is bypassing some of the SSL verifications, but not all. It seems the installation of extentions is following process:
For me the problem was everything under *.windows.net skipped SSL verification, but aka.ms didn’t. The problem is if you skip SSL verification, but still apply self-signed one, it will fail (at least this is my understanding).
You can try direct download call to download the extension by doing following steps:
That should hopefully work for you, if github.com is exempt from SSL verification, you shouldn’t provide the self-signed certificate path under ENV variable as it is actually going to break it.
@akomisarek’s comment is correct. Thanks!
It’s very likely that your company skipped SSL/TLS verification for some domains, like
.windows.net.An easier solution would be to append standard Python root CAs to your
pemfile:You may get it from https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem
Then Azure CLI will use both your internal certificate and Python’s public certificate. This is mentioned at https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy
You may test the connectivity to a domain using