Azure-cli: az aks install-cli "certificate verify failed"
Not sure if this is the right place for this but I'm trying to install the Kubernetes cli tools in the Azure portal cloud-cli and am getting a certificate verify failed error
`PS Azure:> az aks install-cli
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 1318, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\http\client.py", line 1239, in request
self._send_request(method, url, body, headers, encode_chunked)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\http\client.py", line 1285, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\http\client.py", line 1234, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\http\client.py", line 1026, in _send_output
self.send(msg)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\http\client.py", line 964, in send
self.connect()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\http\client.py", line 1400, in connect
server_hostname=server_hostname)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\ssl.py", line 401, in wrap_socket
_context=self, _session=session)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\ssl.py", line 808, in __init__
self.do_handshake()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\ssl.py", line 1061, in do_handshake
self._sslobj.do_handshake()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\ssl.py", line 683, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
cmd_result = APPLICATION.execute(args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 216, in execute
result = expanded_arg.func(params)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 381, in __call__
return self.handler(args, kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 630, in _execute_command
reraise(sys.exc_info())
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
raise value
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 612, in _execute_command
result = op(client, *kwargs) if client else op(kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 286, in k8s_install_cli
context=context).read()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 223, in urlopen
return opener.open(url, data, timeout)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 526, in open
response = self._open(req, data)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 544, in _open
'_open', req)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 504, in _call_chain
result = func(args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 1361, in https_open
context=self._context, check_hostname=self._check_hostname)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\urllib\request.py", line 1320, in do_open
raise URLError(err)
urllib.error.URLError:
gcyre
All 12 comments
I verified that this works fine in a Linux bash Cloud Shell, but fails as described in the Windows PowerShell version. Maybe related to #4251.
mboersma
on 17 Jan 2018
I built the Windows CLI binary locally and couldn't reproduce this error. Since it works on Windows 10, I think it's a missing cert chain or other base software in the Windows Cloud Shell environment:
PS Azure:\> python -c "import urllib; urllib.urlopen('https://storage.googleapis.com/kubernetes-release/release/v1.9.1/bin/linux/amd64/kubectl')"
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "C:\Python\lib\urllib.py", line 87, in urlopen
return opener.open(url)
File "C:\Python\lib\urllib.py", line 213, in open
return getattr(self, name)(url)
File "C:\Python\lib\urllib.py", line 443, in open_https
h.endheaders(data)
File "C:\Python\lib\httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "C:\Python\lib\httplib.py", line 882, in _send_output
self.send(msg)
File "C:\Python\lib\httplib.py", line 844, in send
self.connect()
File "C:\Python\lib\httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "C:\Python\lib\ssl.py", line 363, in wrap_socket
_context=self)
File "C:\Python\lib\ssl.py", line 611, in __init__
self.do_handshake()
File "C:\Python\lib\ssl.py", line 840, in do_handshake
self._sslobj.do_handshake()
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Azure:\
This is still an issue with az 2.0.27.
mboersma
on 15 Feb 2018
Interestingly, using PowerShell's curl cmdlet and invoking python's urllib directly don't show this bug. So it may be specific to the packaging of az for Windows Cloud Shell.
python -c "import urllib; print urllib.urlopen('https://storage.googleapis.com/kubernetes-release/release/v1.9.2/bin/windows/amd64/kubectl.exe').read()"curl https://storage.googleapis.com/kubernetes-release/release/v1.9.2/bin/windows/amd64/kubectl.exe -UseBasicParsing
Also, az acs dcos install-cli has the same bug, which isn't surprising since it has a similar implementation.
mboersma
on 16 Feb 2018
Also verified that this bug doesn't occur when using az 2.0.27 installed from the .MSI package on Windows 10. Just Cloud Shell / PS as far as I can tell.
mboersma
on 16 Feb 2018
Same error here when using powershell. Doesn't occur with bash shell but I'm getting this error with bash:
Connection error while attempting to download client ([Errno 13] Permission denied: '/usr/local/bin/kubectl')
Maybe this is not related to this issue.
marvinpuethe
on 19 Feb 2018
@marvinpuethe that's a different error actually. You got past the SSL: CERTIFICATE_VERIFY_FAILED error but ran into a filesystem permissions problem.
It's difficult to know much about users, groups, filesystem permissions and the search PATH on Linux, so az takes a hands-off approach by trying to write to the common /usr/local/bin location. In this case, your user didn't have permissions to write there, which isn't uncommon.
As a workaround, either run the command with sudo to give yourself the necessary permissions, or download the file to a writeable location and then move it into your search PATH:
sudo az aks install-cli # or
az aks install-cli --install-location=./kubectl && sudo mv kubectl /usr/local/bin/kubectl
On windows, set SSL version to TLSv1 to solve the issue:
python -c "import ssl; import urllib; context = ssl.SSLContext(ssl.PROTOCOL_TLSv1); urllib.urlopen('https://storage.googleapis.com/kubernetes-release/release/v1.9.1/bin/linux/amd64/kubectl', context=context)"
raghushantha
on 14 Mar 2018
Facing the same issue on Mac when running az aks install-cli, using v2.0.38
miaojiang
on 23 Jun 2018
Just like 'miaojiang' wrote I am too .. "Facing the same issue on Mac when running az aks install-cli, using v2.0.38"
ReveelTeam
on 26 Jun 2018
mattwoolnough
on 11 Aug 2018
I'm seeing this on Mac as well using
azure-cli 2.0.58
Ironically I was trying to go through the Azure Kubernetes workshop... Please advise. Also Please do not close issues if there are not actually fixed!! Thank you.
kristianjaeger
on 15 Feb 2019
Related issues
idkjs
路
3Comments
PrHar
路
3Comments
derekperkins
路
3Comments
troydai
路
3Comments
derekbekoe
路
3Comments
Most helpful comment
Facing the same issue on Mac when running az aks install-cli, using v2.0.38