Azure-cli: Azure CLI on Windows - az login certificate verify failed - in Powershell or CommandLine

Created on 25 Feb 2019  路  6Comments  路  Source: Azure/azure-cli

I've seen plenty of articles around using Azure CLI workarounds in Linux for this issue, but none for Powershell/CommandLine in Windows. For example the "export" var function is not a keyword in Powerhshell / CommandLine.

Describe the bug
Unable to login to Azure (az login) from Windows from within Powershell or CommandLine from behind a proxy.

To Reproduce
Run az login behind a proxy

Expected behavior
Login to Azure

Environment summary
Windows 10
Powershell 5.1.16299.820
Azure CLI 2.0

Additional context
PS L:> az login
Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
You have logged in. Now let us find all the subscriptions to which you have access...
Error occurred in request., SSLError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Traceback (most recent call last):
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\contrib\pyopenssl.py", line 453, in wrap_socket
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\pyOpenSSL\OpenSSL\SSL.py", line 1915, in do_handshake
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\pyOpenSSL\OpenSSL\SSL.py", line 1647, in _raise_ssl_error
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\pyOpenSSL\OpenSSL_util.py", line 54, in exception_from_error_queue
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 600, in urlopen
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 343, in _make_request
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 839, in _validate_conn
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connection.py", line 344, in connect
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\util\ssl_.py", line 344, in ssl_wrap_socket
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\contrib\pyopenssl.py", line 459, in wrap_socket
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\adapters.py", line 449, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 667, in urlopen
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 667, in urlopen
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 667, in urlopen
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\connectionpool.py", line 638, in urlopen
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\urllib3\urllib3\util\retry.py", line 398, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\universal_http\requests.py", line 137, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\sessions.py", line 533, in request
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\sessions.py", line 646, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\knack\knack\cli.py", line 206, in invoke
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core\commands__init__.py", line 328, in execute
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core\commands__init__.py", line 386, in _run_jobs_serially
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core\commands__init__.py", line 379, in _run_job
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\six\six.py", line 693, in reraise
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core\commands__init__.py", line 356, in _run_job
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core\commands__init__.py", line 171, in __call__
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core__init__.py", line 448, in default_command_handler
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-profile\azure\cli\command_modules\profile\custom.py", line 133, in login
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core_profile.py", line 187, in find_subscriptions_on_login
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core_profile.py", line 764, in find_through_authorization_code_flow
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-cli-core\azure\cli\core_profile.py", line 808, in _find_using_common_tenant
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\paging.py", line 143, in __next__
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\paging.py", line 129, in advance_page
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\azure-mgmt-resource\azure\mgmt\resource\subscriptions\v2016_06_01\operations\tenants_operations.py", line 80, in internal_paging
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\service_client.py", line 336, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\pipeline__init__.py", line 197, in run
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\pipeline__init__.py", line 150, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\pipeline\requests.py", line 72, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\pipeline\requests.py", line 137, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\pipeline__init__.py", line 150, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\pipeline\requests.py", line 193, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\universal_http\requests.py", line 328, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\universal_http\requests.py", line 140, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\exceptions.py", line 51, in raise_with_traceback
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\msrest\msrest\universal_http\requests.py", line 137, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\sessions.py", line 533, in request
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\sessions.py", line 646, in send
File "C:\Users\VssAdministrator\AppData\Local\Temp\pip-install-2txkquks\requests\requests\adapters.py", line 514, in send
msrest.exceptions.ClientRequestError: Error occurred in request., SSLError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

Account needs-triage
Source
picture neilmcalister

Most helpful comment

Setting environment variable like REQUESTS_CA_BUNDLE or AZURE_CLI_DISABLE_CONNECTION_VERIFICATION are definitely supported in PowerShell. I suggest you try out.

picture yugangw-msft on 6 Mar 2019
👍5

All 6 comments

I would like to add that I can login successfully using the following Powershell command....

Connect-AzureRmAccount -Subscription 'nameofsubscription'

...but I'd need to use Azure Cli for Terraform

neilmcalister picture neilmcalister on 25 Feb 2019
👍1

@englishbobsnr, please checkout our doc for this specific topic. Likely your proxy doesn't have a fully signed certificate.
For context, the reason PowerShell works w/o setting anything is, as part of system component it accesses the Windows cert Store and I guess you have added proxy's certificate to the trust list, but Python which CLI depends on doesn't do this

yugangw-msft picture yugangw-msft on 6 Mar 2019
👎1 👍1

@yugangw-msft Thanks for the reply. I'm not using Azure CLI, I'm using Powershell and invoking az login from within Powershell, so setting those values in that doc don't work.

neilmcalister picture neilmcalister on 6 Mar 2019

Setting environment variable like REQUESTS_CA_BUNDLE or AZURE_CLI_DISABLE_CONNECTION_VERIFICATION are definitely supported in PowerShell. I suggest you try out.

yugangw-msft picture yugangw-msft on 6 Mar 2019
👍5

@englishbobsnr, see this work around from https://github.com/Azure/azure-cli/issues/8734#issuecomment-471954827.

marstr picture marstr on 5 Apr 2019

Because this isn't something actionable by our team, I'm going to close it out.

marstr picture marstr on 5 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

FumiakiNagano picture FumiakiNagano  路  3Comments
derekbekoe picture derekbekoe  路  3Comments
ambakshi picture ambakshi  路  3Comments
troydai picture troydai  路  3Comments
cicorias picture cicorias  路  3Comments