➜ ~ python
Python 3.10.13 (main, Aug 25 2023, 02:38:26) [Clang 14.0.3 (clang-1403.0.22.14.1)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get("https://bst-<bastion UUID HERE>.bastion.azure.com")
>>> r.status_code
200
urllib3.connectionpool: Starting new HTTPS connection (1): bst-<UUID HERE>.bastion.azure.com:443
urllib3.connectionpool: https://bst-<UUID HERE>.bastion.azure.com:443 "POST /api/tokens HTTP/1.1" 200 None
Exception in thread Thread-1 (_start_tunnel):
Traceback (most recent call last):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
self.run()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 953, in run
self._target(*self._args, **self._kwargs)
File "/Users/mike.odriscoll/.azure/cliextensions/bastion/azext_bastion/custom.py", line 335, in _start_tunnel
tunnel_server.start_server()
File "/Users/mike.odriscoll/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 194, in start_server
self._listen()
File "/Users/mike.odriscoll/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 130, in _listen
self.ws = create_connection(host,
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_core.py", line 601, in create_connection
websock.connect(url, **options)
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_core.py", line 244, in connect
self.sock, addrs = connect(url, self.sock_opt, proxy_info(**options),
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_http.py", line 136, in connect
sock = _ssl_socket(sock, options.sslopt, hostname)
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_http.py", line 271, in _ssl_socket
sock = _wrap_sni_socket(sock, sslopt, hostname, check_hostname)
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_http.py", line 247, in _wrap_sni_socket
return context.wrap_socket(
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1104, in _create
self.do_handshake()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1375, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:1007)
Issue script & Debug output
az network bastion tunnel --debug --name $bastion_name --resource-group $rg_name --target-resource-id $resource_id --subscription "SUBHERE" --resource-port 22 --port 46810
cli.knack.cli: Command arguments: ['network', 'bastion', 'tunnel', '--debug', '--name', 'bastion-resource-name', '--resource-group', 'resourcegroupname', '--target-resource-id', '/subscriptions/UUIDHERE/resourceGroups/resourcegroupname/providers/Microsoft.Compute/virtualMachines/vmname', '--subscription', 'SubName', '--resource-port', '22', '--port', '46810']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x102eb7010>, <function OutputProducer.on_global_arguments at 0x10300f130>, <function CLIQuery.on_global_arguments at 0x103050700>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_bastion']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: network 0.230 115 353
cli.azure.cli.core: privatedns 0.004 14 63
cli.azure.cli.core: Total (2) 0.234 129 416
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: bastion 0.003 2 9 /Users/mike.odriscoll/.azure/cliextensions/bastion
cli.azure.cli.core: Total (1) 0.003 2 9
cli.azure.cli.core: Loaded 129 groups, 425 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network bastion tunnel
cli.azure.cli.core: Command table: network bastion tunnel
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x103e60ca0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/mike.odriscoll/.azure/commands/2023-08-29.11-35-44.network_bastion_tunnel.15318.log'.
az_command_data_logger: command args: network bastion tunnel --debug --name {} --resource-group {} --target-resource-id {} --subscription {} --resource-port {} --port {}
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x103e7dab0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x103eb79a0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x103eb7ac0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x10300f1c0>, <function CLIQuery.handle_query_parameter at 0x103050790>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x103eb7a30>]
az_command_data_logger: extension name: bastion
az_command_data_logger: extension version: 0.2.5
Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/mike.odriscoll/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/mike.odriscoll/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/UUIDHERE/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/UUIDHERE/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/UUIDHERE/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: <correlationID>
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Network/bastionHosts/bastion-resource-name?api-version=2022-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '<stripped>'
cli.azure.cli.core.sdk.policies: 'CommandName': 'network bastion tunnel'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--debug --name --resource-group --target-resource-id --subscription --resource-port --port'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.51.0 (PIP) (AAZ) azsdk-python-core/1.29.3 Python/3.10.13 (macOS-13.5.1-arm64-arm-64bit)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Network/bastionHosts/bastion-resource-name?api-version=2022-01-01 HTTP/1.1" 200 2029
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '2029'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 29 Aug 2023 15:35:44 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
"name": "bastion-resource-name",
"id": "/subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Network/bastionHosts/bastion-resource-name",
"etag": "W/\"<etag-replaced>\"",
"type": "Microsoft.Network/bastionHosts",
"location": "eastus",
"tags": {
"x-aw-component": "Bastion",
"x-aw-cost-centre": "it",
"x-aw-deployment-tool": "Manual",
"x-aw-owner": "owneremail@email.com",
"x-aw-product": "COMPANY NAME",
"x-az-environment": "Infra",
"x-az-provisioning-identity": "<ProvisioningIdentity>"
},
"properties": {
"provisioningState": "Succeeded",
"dnsName": "bst-<bastion-UUID>.bastion.azure.com",
"scaleUnits": 2,
"enableTunneling": true,
"enableIpConnect": false,
"enableFileCopy": false,
"disableCopyPaste": false,
"enableShareableLink": false,
"ipConfigurations": [
{
"name": "bastion-resource-name-ip",
"id": "/subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Network/bastionHosts/bastion-resource-name/bastionHostIpConfigurations/bastion-resource-name-ip",
"etag": "W/\"<etag-replaced>\"",
"type": "Microsoft.Network/bastionHosts/bastionHostIpConfigurations",
"properties": {
"provisioningState": "Succeeded",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "/subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Network/publicIPAddresses/bastion-resource-name-pip"
},
"subnet": {
"id": "/subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Network/virtualNetworks/bastion-vnet-name/subnets/AzureBastionSubnet"
}
}
}
]
},
"sku": {
"name": "Standard"
}
}
cli.azext_bastion.tunnel: Port 46810 is open
cli.azext_bastion.tunnel: Creating a socket on port: 46810
cli.azext_bastion.tunnel: Setting socket options
cli.azext_bastion.tunnel: Binding to socket on local address and port
cli.azext_bastion.tunnel: Finished initialization
cli.azext_bastion.custom: Opening tunnel on port: 46810
cli.azext_bastion.custom: Tunnel is ready, connect on port 46810
cli.azext_bastion.custom: Ctrl + C to close
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/UUIDHERE/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/UUIDHERE/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/UUIDHERE/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/UUIDHERE/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: <correlationID>
cli.azext_bastion.tunnel: Content: {'resourceId': '/subscriptions/subUUID/resourceGroups/resourcegroupname/providers/Microsoft.Compute/virtualMachines/vmname', 'protocol': 'tcptunnel', 'workloadHostPort': '22', 'aztoken': '<TOKEN-REMOVED>', 'token': None}
urllib3.connectionpool: Starting new HTTPS connection (1): bst-<bastion-UUID>.bastion.azure.com:443
urllib3.connectionpool: https://bst-<bastion-UUID>.bastion.azure.com:443 "POST /api/tokens HTTP/1.1" 200 None
Exception in thread Thread-1 (_start_tunnel):
Traceback (most recent call last):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
self.run()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 953, in run
self._target(*self._args, **self._kwargs)
File "/Users/mike.odriscoll/.azure/cliextensions/bastion/azext_bastion/custom.py", line 335, in _start_tunnel
tunnel_server.start_server()
File "/Users/mike.odriscoll/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 194, in start_server
self._listen()
File "/Users/mike.odriscoll/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 130, in _listen
self.ws = create_connection(host,
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_core.py", line 601, in create_connection
websock.connect(url, **options)
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_core.py", line 244, in connect
self.sock, addrs = connect(url, self.sock_opt, proxy_info(**options),
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_http.py", line 136, in connect
sock = _ssl_socket(sock, options.sslopt, hostname)
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_http.py", line 271, in _ssl_socket
sock = _wrap_sni_socket(sock, sslopt, hostname, check_hostname)
File "/Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/websocket/_http.py", line 247, in _wrap_sni_socket
return context.wrap_socket(
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1104, in _create
self.do_handshake()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1375, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:1007)
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x103eb4ee0>, <function _x509_from_base64_to_hex_transform at 0x103eb4f70>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x103e60ee0>]
az_command_data_logger: exit code: 0
cli.__main__: Command ran in 6.641 seconds (init: 0.093, invoke: 6.548)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3565 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/local/Library/Frameworks/Python.framework/Versions/3.10/bin/python3.10 /Users/mike.odriscoll/Library/Python/3.10/lib/python/site-packages/azure/cli/telemetry/__init__.py /Users/mike.odriscoll/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
Tunnel connects and allows vscode or ssh to create a connection to the bastion host.
No SSL certificate error occurs.
Describe the bug
az network bastion tunnel
fails to verify certificate after ssh or vscode attempt to use the tunnel to connect to the local port on the host system.az login
works successfully and without issueRelated command
az network bastion tunnel --debug --name $bastion_name --resource-group $rg_name --target-resource-id $resource_id --subscription "SubHere" --resource-port 22 --port 46810
Errors
Issue script & Debug output
Expected behavior
Tunnel connects and allows vscode or ssh to create a connection to the bastion host. No SSL certificate error occurs.
Environment Summary
azure-cli 2.51.0
core 2.51.0 telemetry 1.1.0
Extensions: bastion 0.2.5
Dependencies: msal 1.24.0b1 azure-mgmt-resource 23.1.0b2
Python location '/opt/local/Library/Frameworks/Python.framework/Versions/3.10/bin/python3.10' Extensions directory '/Users/mike.odriscoll/.azure/cliextensions'
Python (Darwin) 3.10.13 (main, Aug 25 2023, 02:38:26) [Clang 14.0.3 (clang-1403.0.22.14.1)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response