CODEWITHSUNDEEP
azurecommand-line-interfaceportal
SJS Bowley
SJS Bowley

Reputation: 51

AZ Login from CLI issue - SELF SIGNED CERTIFICATE

Trying to logon to my Azure portal account through the AZ CLI.

At the az login command I get redirected to a browser to sign into Azure, sign in is successful, CLI says "You have logged in, now let us find all the subscriptions to which you have access..." Then I get this error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125) enter image description here

Upvotes: 5

Views: 13352

Answers (3)

SaiKarri-MT
SaiKarri-MT

Reputation: 1301

I tried reproducing the issue with the command which you have used, I got redirected to the browser and got back and logged in successfully.

enter image description here

Referring to the error message which you got looks like you don’t have a fully signed certificate.

To use Azure CLI with the aSDK, you must trust the CA root certificate on your remote machine.

Usually, these certificate locations will depend on where we’ve installed our Python packages

With below command we can get it and make a note of it…

python -c "import certifi; print(certifi.where())"

Refer to Microsoft documentation for Setting up certificates for Azure CLI

Upvotes: 0

Andrew Richesson
Andrew Richesson

Reputation: 458

Here's how to trust the untrusted certificates in the chain for the az cli. This is assuming you want to trust the certificate chain. Mine was broken because of a corporate self-signed certificate.

Use the command to list the certificates in the chain. openssl s_client -connect domainYouWantToConnect.com:443 -showcerts

Then copy each cert and paste it at the end of the cacert.pem file in C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem

-----BEGIN CERTIFICATE-----
Certificate stuff....
-----END CERTIFICATE-----

You don't need to have any of the # Issuer: .. or # Subject headers.

Upvotes: 1

curtispy
curtispy

Reputation: 234

If you are working behind a corporate proxy, it's most likely that your company's root CA is not added to the REQUESTS_CA_BUNDLE in python request library that Azure CLI depends on.

To add the CA,

  • Open Chrome, go to portal.azure.com
  • Click Connection is secure
  • Certificate -> Check if the root CA is public or corporate, if it's a public CA (something like Baltimore...), try go to a different url
  • Select certification path and export the top corporate CA to file
  • Append the CA to C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem

More detailed instruction can be found from this post.

For other OS other than Windows, refer to this Microsoft doc.

Upvotes: 6

Related Questions