Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

NO PROXY: az aks install-cli: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate #25288

Open bitsofinfo opened 1 year ago

bitsofinfo commented 1 year ago

Running from windows powershell az aks install-cli

windows version below.

az login works just fine

az aks install-cli
The detected architecture is 'amd64', which will be regarded as 'amd64' and the corresponding binary will be downloaded. If there is any problem, please download the appropriate binary by yourself.
The command failed with an unexpected error. Here is the traceback:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
Traceback (most recent call last):
  File "urllib\request.py", line 1348, in do_open
  File "http\client.py", line 1282, in request
  File "http\client.py", line 1328, in _send_request
  File "http\client.py", line 1277, in endheaders
  File "http\client.py", line 1037, in _send_output
  File "http\client.py", line 975, in send
  File "http\client.py", line 1454, in connect
  File "ssl.py", line 513, in wrap_socket
  File "ssl.py", line 1071, in _create
  File "ssl.py", line 1342, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1432, in k8s_install_cli
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1547, in k8s_install_kubectl
  File "urllib\request.py", line 216, in urlopen
  File "urllib\request.py", line 519, in open
  File "urllib\request.py", line 536, in _open
  File "urllib\request.py", line 496, in _call_chain
  File "urllib\request.py", line 1391, in https_open
  File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
To open a new issue, please run `az feedback`
WindowsBuildLabEx                                       : 22621.1.amd64fre.ni_release.220506-1250
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : Professional
WindowsInstallationType                                 : Client
WindowsInstallDateFromRegistry                          : 1/26/2023 10:55:07 PM
WindowsProductId                                        : 00331-10000-00001-AA589
WindowsProductName                                      : Windows 10 Pro
WindowsRegisteredOrganization                           :
WindowsRegisteredOwner                                  :
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 2009
bitsofinfo commented 1 year ago

This works fine btw: python -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"

yonzhan commented 1 year ago

route to CXP team

weinong commented 1 year ago

did you take a look at https://github.com/Azure/azure-cli/issues/23282?

levi106 commented 1 year ago

I could reproduce this issue with the following python script in a Windows Server 2022 environment.

>>> from urllib.request import urlopen
>>> import socket, ssl
>>> ctx = ssl.create_default_context()
>>> urlopen("https://storage.googleapis.com/kubernetes-release/release/stable.txt", context=ctx)
Traceback (most recent call last):
  File "urllib\request.py", line 1348, in do_open
  File "http\client.py", line 1282, in request
  File "http\client.py", line 1328, in _send_request
  File "http\client.py", line 1277, in endheaders
  File "http\client.py", line 1037, in _send_output
  File "http\client.py", line 975, in send
  File "http\client.py", line 1454, in connect
  File "ssl.py", line 513, in wrap_socket
  File "ssl.py", line 1071, in _create
  File "ssl.py", line 1342, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "urllib\request.py", line 216, in urlopen
  File "urllib\request.py", line 519, in open
  File "urllib\request.py", line 536, in _open
  File "urllib\request.py", line 496, in _call_chain
  File "urllib\request.py", line 1391, in https_open
  File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
>>> len(ctx.get_ca_certs())
13
>>> [print(x['subject'][-1][0]) for x in ctx.get_ca_certs()]
('commonName', 'DST Root CA X3')
('commonName', 'ISRG Root X1')
('commonName', 'Baltimore CyberTrust Root')
('organizationalUnitName', 'Class 3 Public Primary Certification Authority')
('commonName', 'Microsoft Root Certificate Authority')
('commonName', 'DigiCert Global Root CA')
('commonName', 'DigiCert Global Root G2')
('commonName', 'Microsoft Root Certificate Authority 2010')
('commonName', 'Microsoft Root Certificate Authority 2011')
('commonName', 'Microsoft ECC TS Root Certificate Authority 2018')
('commonName', 'Microsoft Time Stamp Root Certificate Authority 2014')
('commonName', 'Microsoft ECC Product Root Certificate Authority 2018')
('organizationalUnitName', 'www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign')
[None, None, None, None, None, None, None, None, None, None, None, None, None]

The reason for the exception appears to be the lack of GlobalSign Root CA. image

After browsing the above url with edge browser, no exception occurs.

>>> ctx = ssl.create_default_context()
>>> len(ctx.get_ca_certs())
15
>>> [print(x['subject'][-1][0]) for x in ctx.get_ca_certs()]
('commonName', 'DST Root CA X3')
('commonName', 'ISRG Root X1')
('commonName', 'GlobalSign Root CA')
('commonName', 'Baltimore CyberTrust Root')
('organizationalUnitName', 'Class 3 Public Primary Certification Authority')
('commonName', 'Microsoft Root Certificate Authority')
('commonName', 'DigiCert Global Root CA')
('commonName', 'DigiCert Global Root G2')
('organizationalUnitName', 'Starfield Class 2 Certification Authority')
('commonName', 'Microsoft Root Certificate Authority 2010')
('commonName', 'Microsoft Root Certificate Authority 2011')
('commonName', 'Microsoft ECC TS Root Certificate Authority 2018')
('commonName', 'Microsoft ECC Product Root Certificate Authority 2018')
('organizationalUnitName', 'www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign')
('commonName', 'Microsoft Time Stamp Root Certificate Authority 2014')
[None, None, None, None, None, None, None, None, None, None, None, None, None, None, None]
>>> urlopen("https://storage.googleapis.com/kubernetes-release/release/stable.txt", context=ctx)
<http.client.HTTPResponse object at 0x011847C0>
artisticcheese commented 1 year ago

I could reproduce this issue with the following python script in a Windows Server 2022 environment.


>>> from urllib.request import urlopen
>>> import socket, ssl
>>> ctx = ssl.create_default_context()
>>> urlopen("https://storage.googleapis.com/kubernetes-release/release/stable.txt", context=ctx)
Traceback (most recent call last):
  File "urllib\request.py", line 1348, in do_open
  File "http\client.py", line 1282, in request
This worked for me ONLY I after I visited https://[storage.googleapis.com/kubernetes-release/release/stable.txt](https://storage.googleapis.com/kubernetes-release/release/stable.txt) in Internet Explorer in Windows 2022. Visiting it in Edge did not do the trick. In fact certificate chain looked different when visiting it in Edge vs Internet Explorer
![image](https://github.com/Azure/azure-cli/assets/13176884/db7aa4a7-dd92-4157-bcd3-c63e41a3bff2)
jtvcodes commented 12 months ago

Also had a similar experience with a VM with Windows 11. Since there is no IE, I followed these instructions

  1. Go to edge://settings/defaultbrowser in Edge
  2. Allow sites to be reloaded in Internet Explorer mode (IE mode) [Allow]
  3. Add https://storage.googleapis.com/kubernetes-release/release/stable.txt.
  4. Navigate to https://storage.googleapis.com/kubernetes-release/release/stable.txt.

@artisticcheese thanks for the tip!

PaoloCastAway commented 7 months ago

I found that there are 2 URLs causing the issue. It suffices to open those 2 URLs in IE on Windows Server for the issue to go away. https://storage.googleapis.com/kubernetes-release/release/stable.txt (already mentioned) https://api.github.com/repos/Azure/kubelogin/releases/latest (for downloading kubelogin)

TheOnlyWei commented 2 months ago

I have the same issue. @jiasli Is there an update or can this be routed to the correct team? az login works. Error is caused by this line: https://github.com/Azure/azure-cli/blob/b0f75da4fb753f94edab1eb11fc2d0e9a2c8996b/src/azure-cli/azure/cli/command_modules/acs/custom.py#L1880

If I try PowerShell Invoke-WebRequest and az rest, it works:

Invoke-WebRequest -Uri "https://storage.googleapis.com/kubernetes-release/release/stable.txt"
az rest --method Get --url "https://storage.googleapis.com/kubernetes-release/release/stable.txt"

I fixed it by running Invoke-WebRequest -Uri "<url>" twice, once for each new URL that az aks install-cli tries to call:

Invoke-WebRequest -Uri "https://storage.googleapis.com/kubernetes-release/release/stable.txt"
Invoke-WebRequest -Uri "https://api.github.com/repos/Azure/kubelogin/releases/latest"
jiamingla commented 1 month ago

Thank you for your help! That works for me.