Open elygre opened 2 years ago
@jiasli for awareness
This problem is resurfacing in 2.33; I believe it was gone in 2.32:
PS > az upgrade
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
You already have the latest azure-cli version: 2.33.0
Upgrading extensions
Checking update for account
No updates available for 'account'. Use --debug for more information.
Checking update for azure-devops
An error occurred whilst updating.
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='github.com', port=443): Max retries exceeded with url: /Azure/azure-devops-cli-extension/releases/download/20220131.1/azure_devops-0.23.0-py2.py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
Failed to update. Rolled azure-devops back to 0.22.0.
Checking update for resource-graph
No updates available for 'resource-graph'. Use --debug for more information.
Upgrade finished.```
See also #20842 and probably others mentioning CERTIFICATE_VERIFY_FAILED.
@elygre, this problem is not related to different Azure CLI versions, but your proxy's configuration which intercepts traffic to github.com
.
Would it be possible to bypass all of this, using the system certificate store instead?
This is definitely a good idea. There are already lots of discussions regarding this topic in the Python community:
I found some projects which do this:
However, https://github.com/pypa/pip/issues/2510#issuecomment-288556850 says doing this is difficult on Windows. I am not sure if pip-system-certs
works as expected.
Additional information:
This worked for me,
PUSHD "C:\Program Files\Microsoft SDKs\Azure\CLI2"
python -m pip install pip_system_certs --trusted-host pypi.org --trusted-host files.pythonhosted.org
I had been getting the Python error when adding extensions.
I'm trying to run "az upgrade", which fails beautifully presumably due to the corporate proxy we have. https://github.com/Azure/azure-cli/issues/17938#issuecomment-890038445 gives some information on how to solve it, including a link to https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy.
The outlined mechanism seems ... convoluted. It suggests that I should edit
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
. This requires that I acquire the corporate MITM certificate (it's probably easy, but I don't know how), and that I'm comfortable with the file format. Also, every user would have to do this on every computer.Environment Summary