Just wanted to do a quick post as I was having issue connecting to Az CLi. When connection it was failing to validate the login.microsoftonline.com certificate.
I was getting the below verification error.
HTTPSConnectionPool(host=’login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)’)))
The issue looked to be caused by the SSL inspection being done on the firewall. To check the cert being used by the firewall I used the developer mode in Edge using F12. When in the developer mode go to security and view certificate.
There where a few different recommendations online to set environment variables and run python commands but none of these fixed the issue for me. These where all related to connection request going proxy but in this case to I wasn’t using a proxy.
https://github.com/Azure/azure-cli/issues/8632
I found this GitHub issue page
https://github.com/Azure/azure-cli/issues/20921
I tried the python command to use the local system cert store but this didn’t work, someone said to try add the cert file content to the cacert.pem file in the Microsoft SDK. I tried to add it manually to cacert.pem.
Below steps fixed the issue for me.
- Using MMC console, export the root cert from my local cert store that was used for the SSL inspection as Base-64 encoded
- Use OpenSSL to view the cert content I used “openssl x509 -in ‘Firewall_Root_Cert.cer’ -text” ( can also use notepad but that doesn’t have the issuer or subject details)
- Go to C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
- Open using NotePad ++ or notepad and then added the cert content to the bottom after the last cert
Below is the updated cacert.pem file.
Once I added the root cert content, I was then able to connect without issue.
TheSleepyAdmins 
how to check which is the root cert?
LikeLike
Hi
I used the developer tools in Edge to view the issuer of the cert and export it.
LikeLike
Amazing article. I had this issue when running az extension list-available –output table and az extension add –name and with the workaround I was able to solve this problem working behind a ZScaler proxy. Has taken me hours until I found this article
LikeLike
Thought I’d share some gotchas i got caught out by.
The method in this article didn’t work for me at first, and after a lot of troubleshooting i realised it’s because i’d already tried the environment variable REQUESTS_CA_BUNDLE method too. I’m not going to explain the latter method here but there’s plenty of articles you can google.
I thought i’d read that the certificate pointed at by the REQUESTS_CA_BUNDLE would be loaded by Python / az cli in addition to the C:Program Files (x86)Microsoft SDKsAzureCLI2Libsite-packagescertificacert.pem mentioned in this article. However that the catch is that the REQUESTS_CA_BUNDLE variable REPLACES NOT ADDS to the program files cacert.pem.
So if you’re using the REQUESTS_CA_BUNDLE method, ensure you copy the contents from cacert.pem in addition to your own certificate.
Or if you’re using the cacert.pem method described in this article make sure you remove REQUESTS_CA_BUNDLE variable if you already have one.
LikeLike