az login fails with CERTIFICATE_VERIFY_FAILED and I am not behind a proxy

This is autogenerated. Please review and update as needed.

Describe the bug

Fresh install of azure-cli 2.32.0. When I run az login, I get the following error:

HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) az_command_data_logger: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

No proxy is defined on this system.

This occurs with my local ISP at home, as well as the hotspot on my phone. I get the same error if I call az upgrade

If I run ‘az --version’, I will get the error:

‘Unable to check if your CLI is up-to-date. Check your internet connection.’

I have removed all know python installation on my machine before I installed azure cli.

I will attach a debug file.

I also set the following environment variable, and that did not affect the response:

$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 $Env:ADAL_PYTHON_SSL_NO_VERIFY=1

Command Name az login

Errors:

HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Open Powershell as an Administrator
az login --debug

Expected Behavior

Environment Summary

Windows-10-10.0.19041-SP0
Version 21H1 (OS Build 19043.1415)
Python 3.8.9
Installer: MSI

azure-cli 2.32.0

Additional Context

az.login.debug.log

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:36 (14 by maintainers)

Top GitHub Comments

3reactions

jgentilcommented, Jul 20, 2022

It seems really silly that Microsoft’s own CLI tool doesn’t use pip-system-certs to support reading the certificate store from Windows itself.

On a Windows CMD prompt or in PowerShell, run this command:

"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs

(you may need to do this as administrator, or change the path depending on how you installed the CLI)

This will install a hook that tells certifi, and thus requests, to use the Windows system certificates.

2reactions

Joeboyc2commented, Jul 28, 2022

I tried all of the steps above in this ticket with varied degrees of success, however after running this last command: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -m pip install pip-system-certs all is now well and I get the correct response from the command 😃 Thank you @jgentil