search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.04k stars 3.01k forks source link

Error when executing az aks install-cli on an out-of-the-box Windows Server 2022 VM in Azure #27863

Open evmimagina opened 1 year ago

evmimagina commented 1 year ago

Describe the bug

When trying to install kubectl and kubelogin using the "az aks install-cli" command, I get an error.

Brand-new VM server installed using the following specs:

  vm_os_publisher = "MicrosoftWindowsServer"
  vm_os_offer = "WindowsServer"
  vm_os_sku = "2022-datacenter-azure-edition-hotpatch"
  vm_size = "Standard_B2s"

The install of "az cli" is done using an unattended manner with the following command:

powershell -c "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"

I can do "az login" and "az aks get-credentials" without problems.

Related command

az aks install-cli

Errors

The command failed with an unexpected error. Here is the traceback: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)> Traceback (most recent call last): File "urllib\request.py", line 1348, in do_open File "http\client.py", line 1286, in request File "http\client.py", line 1332, in _send_request File "http\client.py", line 1281, in endheaders File "http\client.py", line 1041, in _send_output File "http\client.py", line 979, in send File "http\client.py", line 1458, in connect File "ssl.py", line 517, in wrap_socket File "ssl.py", line 1108, in _create File "ssl.py", line 1379, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl File "urllib\request.py", line 216, in urlopen File "urllib\request.py", line 519, in open File "urllib\request.py", line 536, in _open File "urllib\request.py", line 496, in _call_chain File "urllib\request.py", line 1391, in https_open File "urllib\request.py", line 1351, in do_open urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)> To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Issue script & Debug output

cli.knack.cli: Command arguments: ['aks', 'install-cli', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0176E7A8>, <function OutputProducer.on_global_arguments at 0x01A97898>, <function CLIQuery.on_global_arguments at 0x01AB9668>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'aks': ['azure.cli.command_modules.acs'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: acs 0.120 7 54 cli.azure.cli.core: Total (1) 0.120 7 54 cli.azure.cli.core: Loaded 7 groups, 54 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : aks install-cli cli.azure.cli.core: Command table: aks install-cli cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03B7BA78>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\localadmin.azure\commands\2023-11-16.18-00-46.aks_install-cli.6236.log'. az_command_data_logger: command args: aks install-cli --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03B8A6B8>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03BA5B68>, <function register_cache_arguments..add_cache_arguments at 0x03BB4DE8>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01A978E8>, <function CLIQuery.handle_query_parameter at 0x01AB96B8>, <function register_ids_argument..parse_ids_arguments at 0x03BB4D98>] cli.azure.cli.command_modules.acs.custom: The detected architecture of current device is "amd64", and the binary for "amd64" will be downloaded. If the detection is wrong, please download and install the binary corresponding to the appropriate architecture. cli.azure.cli.command_modules.acs.custom: No version specified, will get the latest version of kubectl from "https://storage.googleapis.com/kubernetes-release/release/stable.txt" cli.azure.cli.core.azclierror: Traceback (most recent call last): File "urllib\request.py", line 1348, in do_open File "http\client.py", line 1286, in request File "http\client.py", line 1332, in _send_request File "http\client.py", line 1281, in endheaders File "http\client.py", line 1041, in _send_output File "http\client.py", line 979, in send File "http\client.py", line 1458, in connect File "ssl.py", line 517, in wrap_socket File "ssl.py", line 1108, in _create File "ssl.py", line 1379, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl File "urllib\request.py", line 216, in urlopen File "urllib\request.py", line 519, in open File "urllib\request.py", line 536, in _open File "urllib\request.py", line 496, in _call_chain File "urllib\request.py", line 1391, in https_open File "urllib\request.py", line 1351, in do_open urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>

cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback: az_command_data_logger: The command failed with an unexpected error. Here is the traceback: cli.azure.cli.core.azclierror: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)> Traceback (most recent call last): File "urllib\request.py", line 1348, in do_open File "http\client.py", line 1286, in request File "http\client.py", line 1332, in _send_request File "http\client.py", line 1281, in endheaders File "http\client.py", line 1041, in _send_output File "http\client.py", line 979, in send File "http\client.py", line 1458, in connect File "ssl.py", line 517, in wrap_socket File "ssl.py", line 1108, in _create File "ssl.py", line 1379, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl File "urllib\request.py", line 216, in urlopen File "urllib\request.py", line 519, in open File "urllib\request.py", line 536, in _open File "urllib\request.py", line 496, in _call_chain File "urllib\request.py", line 1391, in https_open File "urllib\request.py", line 1351, in do_open urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)> az_command_data_logger: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)> Traceback (most recent call last): File "urllib\request.py", line 1348, in do_open File "http\client.py", line 1286, in request File "http\client.py", line 1332, in _send_request File "http\client.py", line 1281, in endheaders File "http\client.py", line 1041, in _send_output File "http\client.py", line 979, in send File "http\client.py", line 1458, in connect File "ssl.py", line 517, in wrap_socket File "ssl.py", line 1108, in _create File "ssl.py", line 1379, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl File "urllib\request.py", line 216, in urlopen File "urllib\request.py", line 519, in open File "urllib\request.py", line 536, in _open File "urllib\request.py", line 496, in _call_chain File "urllib\request.py", line 1391, in https_open File "urllib\request.py", line 1351, in do_open urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)> To check existing issues, please visit: https://github.com/Azure/azure-cli/issues cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03B7BBB8>] az_command_data_logger: exit code: 1 cli.main: Command ran in 1.469 seconds (init: 0.634, invoke: 0.835) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 7055 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users\localadmin.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

Install kubernetes CLI without any problems and without any workarounds??

Environment Summary

azure-cli 2.54.0

core 2.54.0 telemetry 1.1.0

Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\localadmin.azure\cliextensions'

Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:21:31) [MSC v.1936 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

In my opinion this is a bug but... could it be related to the server base image I'm using? I hope you can help me to fix this.

Many thanks,

azure-client-tools-bot-prd[bot] commented 1 year ago
Hi @evmimagina Find similar issue https://github.com/Azure/azure-cli/issues/11555.
Issue title AKS cli install - SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:841)
Create time 2019-12-11
Comment number 4

Possible solution: I suggest you to upgrade your Azure CLI tool and retry the command. If the issue still persists, you can try to add the following environment variable to your system:

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

This should point to the location of the ca-certificates.crt file on your system. If you are using a Windows system, you can try setting the environment variable using the following command:

set SSL_CERT_FILE=C:\path\to\ca-certificates.crt

After setting the environment variable, retry the command and see if the issue is resolved.

Please confirm if this resolves your issue.

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

microsoft-github-policy-service[bot] commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dyu1208, @FumingZhang, @andyliuliming.

evmimagina commented 1 year ago

Hi @yonzhan , thank you for your response, regarding the automated response, the suggested steps doesn't make too much sense to me...

Could you provide what is the supposed path for the "C:\path\to\ca-certificates.crt" ? I don't know what certificate is expecting and where to find it.

On the other hand, this would be a workaround, in my humble opinion, those steps should work out-of-the-box...

Many thanks and best regards,

evmimagina commented 1 year ago

Hi @yonzhan,

FYI, The problem gets solved once downloaded and installed the following certificates on the Local Machine Store -> Trusted Publishers:

https://secure.globalsign.net/cacert/Root-R1.crt https://secure.globalsign.net/cacert/Root-R3.crt

It seems a problem related to the azure cli installation latest package? That is the solving work-around, would be great if this can be fixed on future Azure CLI install package.

Let me know your thoughts please.

Best regards,

Enache-Razvan commented 10 months ago

For the issue I also got PS C:\Users\Adm_razvan> az aks install-cli The detected architecture of current device is "amd64", and the binary for "amd64" will be downloaded. If the detectiton is wrong, please download and install the binary corresponding to the appropriate architecture. No version specified, will get the latest version of kubectl from "https://storage.googleapis.com/kubernetes-release/release/stable.txt"

In my case have an Azure Stack HCI 23H3 I ran from powershell : Invoke-WebRequest -Uri https://storage.googleapis.com/kubernetes-release/release/stable.txt -UseBasicParsing

And this has solved my issue with getting the required certificate and allowed me to install the aks cli.

Hope it helps