azurepowershellubuntuwindows-subsystem-for-linuxazure-cli

Azure CLI Errors - Certificate Verify Failed


I am unable to run any az commands in the terminal, as I keep getting the following exception:

PS C:\>az upgrade --verbose
This command is under preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Failed to get the latest version from 'https://raw.githubusercontent.com/Azure/azure-cli/main/src/azure-cli/setup.py'. HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /Azure/acure-cli/main/src/azure-cli/setup.py (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))
Failed to get the latest azure-cli version.
Upgrade finished.You can enable auto-upgrade with 'az config set auto-upgrade.enable=yes'. More details in https://docs.microsoft.com/cli/azure/update-azure-cli#automatic-update
Command ran in 1.208 seconds (init: 0.221, invoke: 0.986)

This happens on any terminal I use on my Windows machine, and this error also occurs in the terminal in my WSL Ubuntu instance.

This happens for az upgrade, az login, and az extension commands, amongst others. What can I do?


Solution

  • I discovered that the office network I was on is protected behind a TLS proxy, so most TLS requests have a self-signed certificate injected into the certificate chain for each request.

    If you visit a random site using the Chrome browser (e.g. https://portal.azure.com/) and view the SSL certificate "Issued By", and see that the common name (CN) is something unexpected (e.g. tlsProxy.myNetworkServer01.com), then you can safely assume there is a proxy server somewhere, at least for TLS requests. If you see a normal issuer, maybe try a different random site that likely wouldn't be whitelisted?

    When viewing the certificate in Chrome, go to the Details tab and select the topmost cert in the hierarchy, then select the "Export..." button and save the file as a base64 single certificate.

    Install CA Certificate

    For Windows, right-click the saved certificate and select "Install". It's more secure to store it just for the current user, but you can do the local machine if you want. Install it to the "Trusted Root Certification Authorities" store.

    For Ubuntu (in my case, in WSL), run the following:

    sudo apt-get install -y ca-certificates  # Installs a cert management tool, might already be installed.
    sudo cp /mnt/c/Users/myUser/Desktop/myCertificate.crt /usr/local/share/ca-certificates  # Copies the saved certificate file from its saved location (in this case, the WSL host's C: drive, user's desktop folder) to the Ubuntu system.
    sudo update-ca-certificates  # Installs the copied certificate, will likely show "1 added".
    

    Configure Azure CLI Python

    The Azure CLI uses some Python commands internally, which in turn by default will not make use of trusted system certificates. Also, Azure CLI has its own Python runtime which has its own configuration. You will need to update this Python instance to use a hook that tells the Certifi library to use trusted certificates.

    For Windows, in a terminal, navigate to the installation directory for Azure CLI (default C:\Program Files\Microsoft SDKs\Azure\CLI2\ for 64-bit installs). Execute python.exe here with the command:

    PS C:\Program Files\Microsoft SDKs\Azure\CLI2>./python.exe -m pip install pip-system-certs
    

    You may need to run your terminal as an administrator.

    For Ubuntu (in my case, in WSL), you would do the same. Navigate to the install directory (default /opt/az) and run the following install command using the Python runtime in the bin folder:

    myUser@machineName:~$ /opt/az/bin/python3.11 -m pip install pip-system-certs  # Python version may be different for your scenario.
    

    Restart your terminal session, and try your az command again.