Az login fails: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

[TeamDman]

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az login

Errors:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

urllib3.connectionpool: Starting new HTTPS connection (2): management.azure.com:443
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/tenants?api-version=2019-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'redacted'
cli.azure.cli.core.sdk.policies:     'CommandName': 'login'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--use-device-code --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.37.0 (DEB) azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.10.4 (Linux-5.13.0-1031-azure-x86_64-with-glibc2.31)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (3): management.azure.com:443
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/tenants?api-version=2019-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'redacted'
cli.azure.cli.core.sdk.policies:     'CommandName': 'login'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--use-device-code --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.37.0 (DEB) azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.10.4 (Linux-5.13.0-1031-azure-x86_64-with-glibc2.31)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (4): management.azure.com:443
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/profile/custom.py", line 139, in login
    subscriptions = profile.login(
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/_profile.py", line 176, in login
    subscriptions = subscription_finder.find_using_common_tenant(username, credential)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/_profile.py", line 729, in find_using_common_tenant
    for t in tenants:
  File "/opt/az/lib/python3.10/site-packages/azure/core/paging.py", line 129, in __next__
    return next(self._page_iterator)
  File "/opt/az/lib/python3.10/site-packages/azure/core/paging.py", line 76, in __next__
    self._response = self._get_next(self.continuation_token)
  File "/opt/az/lib/python3.10/site-packages/azure/mgmt/resource/subscriptions/v2019_11_01/operations/_operations.py", line 689, in get_next
    pipeline_response = self._client._pipeline.run(  # pylint: disable=protected-access
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 211, in run
    return first_node.send(pipeline_request)  # type: ignore
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  [Previous line repeated 2 more times]
  File "/opt/az/lib/python3.10/site-packages/azure/mgmt/core/policies/_base.py", line 47, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/policies/_redirect.py", line 158, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/policies/_retry.py", line 467, in send
    raise err
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/policies/_retry.py", line 445, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 119, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  [Previous line repeated 1 more time]
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 103, in send
    self._sender.send(request.http_request, **request.context.options),
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/transport/_requests_basic.py", line 361, in send
    raise error
azure.core.exceptions.ServiceRequestError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

cli.azure.cli.core.azclierror: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
az_command_data_logger: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f45e711b6d0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 43.393 seconds (init: 0.272, invoke: 43.121)
telemetry.save: Save telemetry record of length 2999 in cache
telemetry.check: Positive: The /home/myuser/.azure/telemetry.txt does not exist.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/../../opt/az/bin/python3 /opt/az/lib/python3.10/site-packages/azure/cli/telemetry/__init__.py /home/myuser/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az login --use-device-code --debug

Expected Behavior

Environment Summary

Linux-5.13.0-1031-azure-x86_64-with-glibc2.31, Ubuntu 20.04.4 LTS
Python 3.10.4
Installer: DEB

azure-cli 2.37.0

Additional Context

Seems to have manifested after trying to update from the wrong package, following this

• sudo apt remove azure-cli -y && sudo apt autoremove -y

Tried some fixes, none helped.

• https://stackoverflow.com/q/69338278/11141271
• curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

[TeamDman]

Downgrading allowed me to log in again.

cat /var/log/apt/history.log # find the version I uninstalled :P
apt-cache policy azure-cli # list versions available for install
sudo apt-get install azure-cli=2.0.81+ds-4ubuntu0.2

Upgrading caused it to fail again, but with a more verbose error

sudo apt-get install azure-cli=2.6.0-1~focal
az login --use-device-code

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BEANS to authenticate.
request failed: Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle: https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_effectively.md#work-behind-a-proxy. Error detail: Error occurred in request., SSLError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2019-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

Will investigate my proxy situation

[TeamDman]

Login works on new version if done using

AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 az login --use-device

Obviously this is not a healthy approach, but I'll take it over things just not working entirely since I have no idea how our work proxy is doing things or if we even have a work proxy running on the vm I'm on.

Links:

• https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy
• https://stackoverflow.com/q/61122231/11141271

[yonzhan]

@jiasli for awareness

[jiasli]

AZURE_CLI_DISABLE_CONNECTION_VERIFICATION is not supported by all commands and we deliberately removed it from the doc. The recommended approach is still to follow https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy and add the root CA of the proxy to your CA bundle.

There is one weird thing - with a proxy, Azure CLI fails at the authentication step connecting https://login.microsoftonline.com/:

> az login --use-device-code
HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

but in your log, it fails while connecting to https://management.azure.com/. Is it because your proxy only intercepts traffic to https://management.azure.com/?

[TeamDman]

I think there might be some traffic inspection going in at a firewall somewhere before it reaches the machine, but I doubt it's only applying to management.azure

[jiasli]

Duplicate of #19571