英文:
azcli issues when behind a corporate firewall
问题
I am trying to use AZCLI from vscode behind a corporate firewall and receiving this message:
cli.azure.cli.core.azclierror: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)')))
> az_command_data_logger:
> HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max
> retries exceeded with url:
> /organizations/v2.0/.well-known/openid-configuration (Caused by
> SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: self signed certificate in certificate
> chain (_ssl.c:997)')))
>
> Certificate verification failed. This typically happens when using
> Azure CLI behind a proxy that intercepts traffic with a self-signed
> certificate. Please add this certificate to the trusted CA bundle.
> More info:
> https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0402A460>]
The problem is that I have no clue which certificate is the one that I should add in vscode bundle.
I added some root certs found in my certificates MMC in the file found at:
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Yet, I am not able to run azcli from vscode. Any ideas on how could I find the firewall certs?
So far, also tried to set variables:
setx AZURE_CLI_DISABLE_CONNECTION_VERIFICATION 1
setx ADAL_PYTHON_SSL_NO_VERIFY 1
Added a lot of root certs that my computer has, but I have no clue if there are any others that I need to add there.
Another thing that I don't know what it means is something I saw in many threads about REQUEST_CA_BUNDLE. Should it help?
英文:
I am trying to use AZCLI from vscode behind a corporte firewall and receiving this message:
cli.azure.cli.core.azclierror: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)')))
> az_command_data_logger:
> HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max
> retries exceeded with url:
> /organizations/v2.0/.well-known/openid-configuration (Caused by
> SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: self signed certificate in certificate
> chain (_ssl.c:997)')))
>
> Certificate verification failed. This typically happens when using
> Azure CLI behind a proxy that intercepts traffic with a self-signed
> certificate. Please add this certificate to the trusted CA bundle.
> More info:
> https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0402A460>]
the problem is that I have no clue which certificate is the one that I should at in vscode bundle.
I added some root certs found in my certificates mmc in the file found at:
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
yet, I am not able to run azcli from vscode. any ideas on how could I find the firewall certs??
So far, also tried to set variables:
setx AZURE_CLI_DISABLE_CONNECTION_VERIFICATION 1
setx ADAL_PYTHON_SSL_NO_VERIFY 1
added a lot of root certs that my computer has but I have no clue if there are any others that I need to add there.
other thing that Idk what means is something I saw in many threads about REQUEST_CA_BUNDLE. should it help?
答案1
得分: 1
从错误消息中很明显可以看出问题是由于SSL证书验证引起的。
计划 1:
首先,为了找到您需要的根证书,请按照下面的文章进行操作:
https://github.com/jiasli/azure-notes/blob/master/cli/proxy-cert-linux.md
在获取根证书信息后,您需要按照下面的文章进行操作:
https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy
计划 2:
如果上述方法不起作用,请尝试将标准的Python根CA附加到您的pem文件中,然后检查是否有助于运行CLI命令。
> REQUESTS_CA_BUNDLE=$HOME/certs/internal.pem
计划 3:
尝试通过将REQUESTS_CA_BUNDLE环境变量设置为None来临时禁用SSL证书验证,然后检查是否有助于运行CLI命令。
> export REQUESTS_CA_BUNDLE=None
计划 4:
运行以下命令并检查结果:
> python.exe" -c "import urllib.request; print(urllib.request.getproxies())"
这应该会给您代理的详细信息。然后,您可以联系您的内部公司代理团队,看看他们是否可以提供您可以在上述步骤中使用的证书,然后将该证书附加到此文件:C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem。
希望这有所帮助。
英文:
From the error message it is pretty clear that the issue is due to the SSL certificate verification.
Plan 1:
Firstly, Inorder to find the root certificate that you need to follow the below article:
https://github.com/jiasli/azure-notes/blob/master/cli/proxy-cert-linux.md
After you get the root certification information, you need to follow the below article:
https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy
Plan 2:
If the above doesn't help, try appending standard Python root CAs to your pem file and check if that helps to run the CLI command.
> REQUESTS_CA_BUNDLE=$HOME/certs/internal.pem
Plan 3:
Try disabling SSL certificate verification temporarily by setting the REQUESTS_CA_BUNDLE environment variable to None and check if that helps to run the CLI command.
> export REQUESTS_CA_BUNDLE=None
Plan 4:
Run this command and check the result:
> python.exe" -c "import urllib.request; print(urllib.request.getproxies())"
This should give you the proxy details. You can then reach out to your internal Corporate proxy team and check if they can provide you the cerificate which you can use in the above steps and then append that certificate to this file C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem.
Hope this helps.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论