Just wanted to do a quick post as I was having issue connecting to Az CLi. When connection it was failing to validate the login.microsoftonline.com certificate.
I was getting the below verification error.
HTTPSConnectionPool(host=’login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)’)))
The issue looked to be caused by the SSL inspection being done on the firewall. To check the cert being used by the firewall I used the developer mode in Edge using F12. When in the developer mode go to security and view certificate.
There where a few different recommendations online to set environment variables and run python commands but none of these fixed the issue for me. These where all related to connection request going proxy but in this case to I wasn’t using a proxy.
I found this GitHub issue page
tried the python command to use the local system cert store but this didn’t work, someone said to try add the cert file content to the cacert.pem file in the Microsoft SDK. I tried to add it manually to cacert.pem.
Below steps fixed the issue for me.
- Using MMC console, export the root cert from my local cert store that was used for the SSL inspection as Base-64 encoded
- Use OpenSSL to view the cert content I used “openssl x509 -in ‘Firewall_Root_Cert.cer’ -text” ( can also use notepad but that does have the issuer or subject details)
- Go to C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
- Open using NotePad ++ or notepad and then added the cert content to the bottom after the last cert
Below is the update cacert.pem file.
Once I added the root cert content, I was then able to connect without issue.
2 thoughts on “Az CLi Login SSL: CERTIFICATE_VERIFY_FAILED”
how to check which is the root cert?
I used the developer tools in Edge to view the issuer of the cert and export it.