Open bitsofinfo opened 1 year ago
This works fine btw: python -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"
route to CXP team
did you take a look at https://github.com/Azure/azure-cli/issues/23282?
I could reproduce this issue with the following python script in a Windows Server 2022 environment.
>>> from urllib.request import urlopen
>>> import socket, ssl
>>> ctx = ssl.create_default_context()
>>> urlopen("https://storage.googleapis.com/kubernetes-release/release/stable.txt", context=ctx)
Traceback (most recent call last):
File "urllib\request.py", line 1348, in do_open
File "http\client.py", line 1282, in request
File "http\client.py", line 1328, in _send_request
File "http\client.py", line 1277, in endheaders
File "http\client.py", line 1037, in _send_output
File "http\client.py", line 975, in send
File "http\client.py", line 1454, in connect
File "ssl.py", line 513, in wrap_socket
File "ssl.py", line 1071, in _create
File "ssl.py", line 1342, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "urllib\request.py", line 216, in urlopen
File "urllib\request.py", line 519, in open
File "urllib\request.py", line 536, in _open
File "urllib\request.py", line 496, in _call_chain
File "urllib\request.py", line 1391, in https_open
File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
>>> len(ctx.get_ca_certs())
13
>>> [print(x['subject'][-1][0]) for x in ctx.get_ca_certs()]
('commonName', 'DST Root CA X3')
('commonName', 'ISRG Root X1')
('commonName', 'Baltimore CyberTrust Root')
('organizationalUnitName', 'Class 3 Public Primary Certification Authority')
('commonName', 'Microsoft Root Certificate Authority')
('commonName', 'DigiCert Global Root CA')
('commonName', 'DigiCert Global Root G2')
('commonName', 'Microsoft Root Certificate Authority 2010')
('commonName', 'Microsoft Root Certificate Authority 2011')
('commonName', 'Microsoft ECC TS Root Certificate Authority 2018')
('commonName', 'Microsoft Time Stamp Root Certificate Authority 2014')
('commonName', 'Microsoft ECC Product Root Certificate Authority 2018')
('organizationalUnitName', 'www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign')
[None, None, None, None, None, None, None, None, None, None, None, None, None]
The reason for the exception appears to be the lack of GlobalSign Root CA.
After browsing the above url with edge browser, no exception occurs.
>>> ctx = ssl.create_default_context()
>>> len(ctx.get_ca_certs())
15
>>> [print(x['subject'][-1][0]) for x in ctx.get_ca_certs()]
('commonName', 'DST Root CA X3')
('commonName', 'ISRG Root X1')
('commonName', 'GlobalSign Root CA')
('commonName', 'Baltimore CyberTrust Root')
('organizationalUnitName', 'Class 3 Public Primary Certification Authority')
('commonName', 'Microsoft Root Certificate Authority')
('commonName', 'DigiCert Global Root CA')
('commonName', 'DigiCert Global Root G2')
('organizationalUnitName', 'Starfield Class 2 Certification Authority')
('commonName', 'Microsoft Root Certificate Authority 2010')
('commonName', 'Microsoft Root Certificate Authority 2011')
('commonName', 'Microsoft ECC TS Root Certificate Authority 2018')
('commonName', 'Microsoft ECC Product Root Certificate Authority 2018')
('organizationalUnitName', 'www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign')
('commonName', 'Microsoft Time Stamp Root Certificate Authority 2014')
[None, None, None, None, None, None, None, None, None, None, None, None, None, None, None]
>>> urlopen("https://storage.googleapis.com/kubernetes-release/release/stable.txt", context=ctx)
<http.client.HTTPResponse object at 0x011847C0>
I could reproduce this issue with the following python script in a Windows Server 2022 environment.
>>> from urllib.request import urlopen >>> import socket, ssl >>> ctx = ssl.create_default_context() >>> urlopen("https://storage.googleapis.com/kubernetes-release/release/stable.txt", context=ctx) Traceback (most recent call last): File "urllib\request.py", line 1348, in do_open File "http\client.py", line 1282, in request This worked for me ONLY I after I visited https://[storage.googleapis.com/kubernetes-release/release/stable.txt](https://storage.googleapis.com/kubernetes-release/release/stable.txt) in Internet Explorer in Windows 2022. Visiting it in Edge did not do the trick. In fact certificate chain looked different when visiting it in Edge vs Internet Explorer ![image](https://github.com/Azure/azure-cli/assets/13176884/db7aa4a7-dd92-4157-bcd3-c63e41a3bff2)
Also had a similar experience with a VM with Windows 11. Since there is no IE, I followed these instructions
@artisticcheese thanks for the tip!
I found that there are 2 URLs causing the issue. It suffices to open those 2 URLs in IE on Windows Server for the issue to go away. https://storage.googleapis.com/kubernetes-release/release/stable.txt (already mentioned) https://api.github.com/repos/Azure/kubelogin/releases/latest (for downloading kubelogin)
I have the same issue. @jiasli Is there an update or can this be routed to the correct team? az login
works. Error is caused by this line:
https://github.com/Azure/azure-cli/blob/b0f75da4fb753f94edab1eb11fc2d0e9a2c8996b/src/azure-cli/azure/cli/command_modules/acs/custom.py#L1880
If I try PowerShell Invoke-WebRequest and az rest
, it works:
Invoke-WebRequest -Uri "https://storage.googleapis.com/kubernetes-release/release/stable.txt"
az rest --method Get --url "https://storage.googleapis.com/kubernetes-release/release/stable.txt"
I fixed it by running Invoke-WebRequest -Uri "<url>"
twice, once for each new URL that az aks install-cli
tries to call:
Invoke-WebRequest -Uri "https://storage.googleapis.com/kubernetes-release/release/stable.txt"
Invoke-WebRequest -Uri "https://api.github.com/repos/Azure/kubelogin/releases/latest"
Thank you for your help! That works for me.
Running from windows powershell
az aks install-cli
windows version below.
az login
works just fine