Attempting to login against our local TFS instance which uses a cert signed by an internal/private CA fails. Adding the --debug switch confirms my suspicion that the cert isn't trusted. Is there any way to provide an alternate CA bundle? Or to tell the CLI to accept a specific CA or cert?
urllib3.connectionpool : Retrying (Retry(total=2, connect=3, read=3, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)'),)': /tfs/defaultcollection2/_apis
Thanks for reporting this issue. We will look into providing a fix that will allow you to optionally by pass the cert verification.
@markjgardner There is a safer way to workaround this issue. You can take your servers certificate, and copy it to a Base-64 encoded X.509 file (In windows you would open the certificate, go to details tab, and choose 'copy to file...' button). Then you can set the following environment variable REQUESTS_CA_BUNDLE to the file path of your cert file. Once this is done you will no longer get verification errors. Can you give this a try?
That's exactly what I was looking for, and it works great. Thanks for the follow up.
msrest.exceptions.ClientRequestError: Error occurred in request., SSLError: HTTPSConnectionPool(host='ztest1', port=443): Max retries exceeded with url: /defaultcollection/_git/testinggithooks/vsts/info (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)'),))
ERROR: Error occurred in request., SSLError: HTTPSConnectionPool(host='ztest1', port=443): Max retries exceeded with url: /defaultcollection/_git/testinggithooks/vsts/info (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)'),))
I have the same issue and the proposed solution didn't work for me, any help will be appreciated.
In case of Azure Devops multiple links are used and they have different root certificates.How can I add multiple certificates to REQUESTS_CA_BUNDLE ?
@cage200 you should be able to put each of the certificates in the same file. Append each one. So you'd have something like this:
-----BEGIN CERTIFICATE-----
[base64 cert]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[base64 cert]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[base64 cert]
-----END CERTIFICATE-----
Add as many as you need.
@davidroberts63 I have tried that , by creating a PEM file but didn't work.