Self signed certificate in certificate chain issue using Azure CLI on Windows

Question

I have some trouble configuring my Windows to work with az command line tools. I have tested multiple configuration. One on locally installed system and one with windows based docker container. I get the same error on both system.

In case I issue the following command:

  az login --tenant my-domain.org

I get the following error:

HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /my-domain.org/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)')))

The container has the following az and openssl version:

PS C:\azp> az version
{
  "azure-cli": "2.28.0",
  "azure-cli-core": "2.28.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {}
}
PS C:\azp> openssl version
OpenSSL 1.1.1k  25 Mar 2021

The local system has the following az and openssl version:

(base) PS C:\01_Dev\dockerdevimage> az version

{
  "azure-cli": "2.26.1",
  "azure-cli-core": "2.26.1",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {}
}
(base) PS C:\01_Dev\dockerdevimage> openssl version

OpenSSL 1.1.1c  28 May 2019

I tried to understand why I get the error, so I tested the connection with openssl as follows:

PS C:\azp> openssl s_client -proxy 10.76.209.147:3128 -connect login.microsoftonline.com:443 -showcerts
CONNECTED(00000180)
Can't use SSL_get_servername
depth=2 DC = org, DC = my-domain, CN = PKI, CN = BB-CA-DD   <-- edited manually
verify error:num=19:self signed certificate in certificate chain
verify return:1

I have also tested with the same proxy server and with Linux container and the az command works as expected:

$ az version
{
  "azure-cli": "2.25.0",
  "azure-cli-core": "2.25.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {}
}

$ openssl version                                                                             
OpenSSL 1.1.1f  31 Mar 2020

$ az login --tenant my-domain.org 
The default web browser has been opened at https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...
[
  {
    "cloudName": "AzureCloud",
...

On Linux container the openssl command returns the following output:

$ openssl s_client -proxy 10.76.209.147:3128 -connect login.microsoftonline.com:443 -showcerts
Can't use SSL_get_servername
depth=2 DC = org, DC = my-domain, CN = PKI, CN = BB-CA-DD
verify return:1

I have also imported the certificate with the following command based on this link:

PS C:\azp> Import-Certificate -FilePath .\BB-CA-DD.crt -CertStoreLocation Cert:\LocalMachine\Root\

No changes. I'm not sure how to proceed.

Maybe this issue is related to the following posts and articles:

• Can OpenSSL on Windows use the system certificate store?
• How to Use OpenSSL with a Windows Certificate Authority to Generate TLS Certificates
• Installing TLS / SSL ROOT Certificates to non-standard environments

Edit:

I've moved the solution from here to an Answer block to highlight that the issue for me was resolved. Based on the reactions, I've concluded that it is indeed useful for others too.

Answer 1

Finally I was able to resolve the issue as follows:

I've found the following documentation:

Setting up certificates for Azure CLI on Azure Stack Development Kit

The basic idea is to find the python installation used for Azure CLI and update the related certificate file.

In my case the Azure CLI was installed with python on the following location:

C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe

And using the command, that was suggested, returned as follows:

PS > & "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import certifi; print(certifi.where())"
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\certifi\cacert.pem

The 64bit variant of Azure CLI will use a different folder shown below:

C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem

Updating the file mentioned above solved the az login issue for me. One of the python installation provided by my-domain.org contained a properly configured cacert.pem file.

Answer 2

You can use following method

Your azure CLI is looking for the cert at this location (if using Windows)

Default certificate authority bundle Windows C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem

Download the Certificate of your Azure Portal (portal.azure.com)

Append the certificate on above cacert.pem file and try Az login again After restarting powershell.

Alternatively

If you're using Azure CLI over a proxy server, it may cause the following error: SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",). To address this error, set the environment variable REQUESTS_CA_BUNDLE to the path of certificate authority bundle certificate file in PEM format.

Append the proxy server's certificate to this file or copy the contents to another certificate file, then set REQUESTS_CA_BUNDLE to it. You might also need to set the HTTP_PROXY or HTTPS_PROXY environment variables.

Link to Ms Docs Solution

Answer 3

I solved this problem by changing DNS for IPv4. Maybe it can work for you too. I ran az upgrade command after DNS change. When I ran az upgrade while giving this error, it said "check internet connection". It was upgraded with success and the related error has been resolved.

I used Google DNS as DNS.

8.8.8.8

8.8.4.4

Then I set DNS to automatic option. I can continue to use it without any problems. I can now access with the az login command.